chore(deps): update dependency i18next-fs-backend to v2.6.5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
i18next-fs-backend	2.6.3 → 2.6.5

---

Release Notes

i18next/i18next-fs-backend (i18next-fs-backend)

v2.6.5

Compare Source

• fix: allow forward slashes in ns values so nested namespace names (mapping to subfolder locale files such as public/locales/en/a/b.json) load correctly again. 2.6.4's security fix applied the same strict path-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafePathSegment is now split into isSafeLangSegment (strict — still rejects /) and isSafeNsSegment (loose — allows / but still rejects .., \, control chars, prototype keys, and oversized inputs). isSafePathSegment is kept as a backwards-compatible alias for the strict check. The 2.6.4 security fix remains in force for every concrete attack pattern from the original advisory. Fixes #​74.

v2.6.4

Compare Source

Security release — all issues found via an internal audit. See published advisory GHSA-8847-338w-5hcj.

• security: refuse to build filesystem paths when lng or ns values contain .., path separators (/, \), control characters, prototype keys (__proto__ / constructor / prototype), or exceed 128 chars. Prevents arbitrary filesystem read / write via attacker-controlled language-code values. Any legitimate i18next language-code shape (BCP-47-like, underscores, hyphens, dots, +-joined multi-language requests) is still accepted (GHSA-8847-338w-5hcj)
• docs: new "Security considerations" README section — documents the filesystem-path sanitiser and clarifies the trust model around .js/.ts locale files (their content is eval-ed, so they must be treated as code). The eval behaviour itself is retained: dynamic expressions in .js/.ts locale files are an intentional feature, and safe replacements like import() are async-only and not viable for this sync-capable code path.
• chore: ignore .env* and *.pem/*.key files in .gitignore.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 6am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Automatic builds from https://github.com/NethServer/nethlink/actions/runs/24972459083.
Commit: 896cfb6

Name	Platform	Link
win-app.exe	Windows (x64)	Link
macos-app-x64.dmg	MacOS (x64)	Link
macos-app-arm64.dmg	MacOS (arm64)	Link
linux-app.AppImage	Linux (x64)	Link

[github-actions]

Automatic builds from https://github.com/NethServer/nethlink/actions/runs/24980201819.
Commit: 8032845

Name	Platform	Link
win-app.exe	Windows (x64)	Link
macos-app-x64.dmg	MacOS (x64)	Link
macos-app-arm64.dmg	MacOS (arm64)	Link
linux-app.AppImage	Linux (x64)	Link