
Security News
minimatch Patches 3 High-Severity ReDoS Vulnerabilities
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.
@formatjs/intl-localematcher
Advanced tools
We've migrated the docs to https://formatjs.github.io/docs/polyfills/intl-localematcher.
This package implements a highly optimized three-tier locale matching algorithm that provides excellent performance even with large locale sets (700+ locales).
Benchmarked with 725 CLDR locales on Node.js:
| Scenario | Latency | Throughput | Relative Performance |
|---|---|---|---|
Tier 1: Exact Match (en) | 1.38ms | 730 ops/s | Baseline |
Tier 2: 1-level Fallback (en-US → en) | 1.39ms | 725 ops/s | 1.01x slower |
Tier 2: Maximized Match (zh-TW → zh-Hant) | 1.40ms | 720 ops/s | 1.02x slower |
Tier 3: CLDR Distance (sr-Latn-BA → sr-Latn-BA) | 1.38ms | 730 ops/s | 1.00x slower |
Tier 3: Fuzzy Match (en-XZ → en) | 1.50ms | 670 ops/s | 1.09x slower |
The optimization in this package resolved issue #4936, where DurationFormat instantiation was taking 610ms on React Native/Hermes due to slow locale matching against 700+ auto-loaded locales.
After optimization:
en-US): 1.39ms per instantiationzh-TW): 1.40ms per instantiationPerformance improvement: 439x faster 🚀
The algorithm uses three tiers for maximum performance:
This design ensures that common cases (exact matches and simple fallbacks) are extremely fast, while complex scenarios (script/region matching, language distances) still perform well.
The 'locale' package provides similar functionalities for locale detection and negotiation. It can parse, normalize, and match locales using different strategies. Compared to @formatjs/intl-localematcher, 'locale' offers a broader set of features for handling locales but might not specifically implement the Best Fit Matcher algorithm as defined by ECMAScript.
This package is designed to parse the Accept-Language header from an HTTP request and match it against a list of supported languages. While it serves a similar purpose in determining the best language for the user, it is more focused on the context of HTTP requests and does not directly implement the ECMAScript Internationalization API's Best Fit Matcher algorithm.
FAQs
Intl.LocaleMatcher ponyfill
The npm package @formatjs/intl-localematcher receives a total of 10,741,196 weekly downloads. As such, @formatjs/intl-localematcher popularity was classified as popular.
We found that @formatjs/intl-localematcher demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.

Research
/Security News
Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from the adversary's C2.

Research
An impersonated golang.org/x/crypto clone exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.