Clarification: XSS vulnerability fix for Vue 2 version (vue-i18n 8.x)

[gaganhn]

Hi team,

We’re currently using vue-i18n with Vue 2 in several large applications. Recently, our security scans (via Snyk) flagged a Cross-site Scripting (XSS) vulnerability (SNYK-JS-VUEI18N-10771082).

According to Snyk, the issue is resolved only in vue-i18n versions 9.14.5, 10.0.8, 11.1.10 or higher, which are all Vue 3+ compatible.
That means for Vue 2 projects, there’s currently no officially patched release available.

Could you please clarify:

• Was there ever a Vue 2 compatible release that included a fix for this vulnerability?
• If not, is there a recommended way to backport or patch the fix ourselves safely (for internal use only)?

We’d like to either patch this ourselves (via a fork) (But need some support of how) or follow an officially supported direction, since migrating all Vue 2 applications to Vue 3 immediately isn’t feasible.

Thank you for your guidance!

— Gagan

[hsubramani42]

I am facing similar issue in my applications would be great if we can get some help on this. I tried checking release tags but unable to find the version 8.x

[udeshvirk]

This is quite important as many applications are still running on Vue 2. Please help provide a fix for Vue 2 applications, or let us know how we can patch it ourselves.