From 3d292720fc56c781f71c6953729e00a453ff6036 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 May 2025 03:35:25 +0000 Subject: [PATCH 1/3] chore(deps): update dependency vite to v6.2.7 [security] (#4977) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.2.6` -> `6.2.7`](https://renovatebot.com/diffs/npm/vite/6.2.6/6.2.7) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3) ### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). ### PoC ``` npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env/. http://localhost:5173 ``` ![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b) ![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc) --- ### Release Notes

vitejs/vite (vite)

### [`v6.2.7`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.7) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.6...v6.2.7) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.7/packages/vite/CHANGELOG.md) for details.

--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/formatjs/formatjs). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- pnpm-lock.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6ff1f52fe5b..e7009c9de3c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -330,7 +330,7 @@ importers: version: 1.0.4 vite: specifier: ^6 - version: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) + version: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) vitest: specifier: ^3 version: 3.1.1(@types/debug@4.1.12)(@types/node@22.13.10)(happy-dom@17.4.4)(jiti@2.4.2)(jsdom@20.0.3)(terser@5.39.0)(yaml@2.7.1) @@ -9864,8 +9864,8 @@ packages: engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true - vite@6.2.6: - resolution: {integrity: sha512-9xpjNl3kR4rVDZgPNdTL0/c6ao4km69a/2ihNQbcANz8RuCOK3hQBmLSJf3bRKVQjVMda+YvizNE8AwvogcPbw==} + vite@6.2.7: + resolution: {integrity: sha512-qg3LkeuinTrZoJHHF94coSaTfIPyBYoywp+ys4qu20oSJFbKMYoIJo0FWJT9q6Vp49l6z9IsJRbHdcGtiKbGoQ==} engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true peerDependencies: @@ -13766,13 +13766,13 @@ snapshots: chai: 5.2.0 tinyrainbow: 2.0.0 - '@vitest/mocker@3.1.1(vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))': + '@vitest/mocker@3.1.1(vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))': dependencies: '@vitest/spy': 3.1.1 estree-walker: 3.0.3 magic-string: 0.30.17 optionalDependencies: - vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) + vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) '@vitest/pretty-format@3.1.1': dependencies: @@ -21443,7 +21443,7 @@ snapshots: debug: 4.4.0 es-module-lexer: 1.6.0 pathe: 2.0.3 - vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) + vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) transitivePeerDependencies: - '@types/node' - jiti @@ -21458,7 +21458,7 @@ snapshots: - tsx - yaml - vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1): + vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1): dependencies: esbuild: 0.25.3 postcss: 8.5.3 @@ -21473,7 +21473,7 @@ snapshots: vitest@3.1.1(@types/debug@4.1.12)(@types/node@22.13.10)(happy-dom@17.4.4)(jiti@2.4.2)(jsdom@20.0.3)(terser@5.39.0)(yaml@2.7.1): dependencies: '@vitest/expect': 3.1.1 - '@vitest/mocker': 3.1.1(vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)) + '@vitest/mocker': 3.1.1(vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)) '@vitest/pretty-format': 3.1.1 '@vitest/runner': 3.1.1 '@vitest/snapshot': 3.1.1 @@ -21489,7 +21489,7 @@ snapshots: tinyexec: 0.3.2 tinypool: 1.0.2 tinyrainbow: 2.0.0 - vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) + vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) vite-node: 3.1.1(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1) why-is-node-running: 2.3.0 optionalDependencies: From 23f89da8e482760f6df8df1e6bebf5e0943e3424 Mon Sep 17 00:00:00 2001 From: Long Ho Date: Sun, 4 May 2025 23:45:20 -0400 Subject: [PATCH 2/3] fix(@formatjs/cli): support space for in-file --- packages/cli-lib/src/cli.ts | 2 +- .../extract/__snapshots__/integration.test.ts.snap | 3 +++ packages/cli/integration-tests/extract/inFile.txt | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/packages/cli-lib/src/cli.ts b/packages/cli-lib/src/cli.ts index 33c076d5476..8418a6e22fc 100644 --- a/packages/cli-lib/src/cli.ts +++ b/packages/cli-lib/src/cli.ts @@ -137,7 +137,7 @@ sentences are not translator-friendly.` const inFile = readFileSync(cmdObj.inFile, 'utf8') files.push( ...inFile - .split('\n') + .split(/\n|\s+/) .filter(Boolean) .map(f => resolve(f)) ) diff --git a/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap b/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap index 792e970c5c0..be2857e7dbd 100644 --- a/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap +++ b/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap @@ -342,6 +342,9 @@ exports[`basic case: inFile 2`] = ` "defaultMessage": "{count, plural, =0 {😭} one {# kitten} other {# kittens}}", "description": "Counts kittens", }, + "bar": { + "defaultMessage": "Bar", + }, "escaped.apostrophe": { "defaultMessage": "A quoted value ''{value}'", "description": "Escaped apostrophe", diff --git a/packages/cli/integration-tests/extract/inFile.txt b/packages/cli/integration-tests/extract/inFile.txt index 42bfef397bf..4bd9b186290 100644 --- a/packages/cli/integration-tests/extract/inFile.txt +++ b/packages/cli/integration-tests/extract/inFile.txt @@ -1,2 +1,2 @@ defineMessages/actual.js -duplicated/file1.tsx \ No newline at end of file +inFile/file1.tsx inFile/file2.tsx \ No newline at end of file From d26fe5a0d2d17c8d6d669ba95989aeb83fc9a0ef Mon Sep 17 00:00:00 2001 From: Long Ho Date: Sun, 4 May 2025 23:45:48 -0400 Subject: [PATCH 3/3] build: publish - @formatjs/cli-lib@7.4.1 - @formatjs/cli@6.7.1 --- packages/cli-lib/CHANGELOG.md | 6 ++++++ packages/cli-lib/package.json | 2 +- packages/cli/CHANGELOG.md | 6 ++++++ packages/cli/package.json | 2 +- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/cli-lib/CHANGELOG.md b/packages/cli-lib/CHANGELOG.md index 1a20fc9eef4..6a29841008c 100644 --- a/packages/cli-lib/CHANGELOG.md +++ b/packages/cli-lib/CHANGELOG.md @@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [7.4.1](https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.4.0...@formatjs/cli-lib@7.4.1) (2025-05-05) + +### Bug Fixes + +* **@formatjs/cli:** support space for in-file ([23f89da](https://github.com/formatjs/formatjs/commit/23f89da8e482760f6df8df1e6bebf5e0943e3424)) - by @longlho + # [7.4.0](https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.3.4...@formatjs/cli-lib@7.4.0) (2025-05-05) ### Features diff --git a/packages/cli-lib/package.json b/packages/cli-lib/package.json index a9c5f7dae8f..501451ec1cf 100644 --- a/packages/cli-lib/package.json +++ b/packages/cli-lib/package.json @@ -1,7 +1,7 @@ { "name": "@formatjs/cli-lib", "description": "Lib for CLI for formatjs.", - "version": "7.4.0", + "version": "7.4.1", "license": "MIT", "author": "Linjie Ding ", "engines": { diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index 63219275180..d2eac74ed50 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [6.7.1](https://github.com/formatjs/formatjs/compare/@formatjs/cli@6.7.0...@formatjs/cli@6.7.1) (2025-05-05) + +### Bug Fixes + +* **@formatjs/cli:** support space for in-file ([23f89da](https://github.com/formatjs/formatjs/commit/23f89da8e482760f6df8df1e6bebf5e0943e3424)) - by @longlho + # [6.7.0](https://github.com/formatjs/formatjs/compare/@formatjs/cli@6.6.4...@formatjs/cli@6.7.0) (2025-05-05) ### Features diff --git a/packages/cli/package.json b/packages/cli/package.json index 922cd433a6c..dbbc0a10bbd 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,7 +1,7 @@ { "name": "@formatjs/cli", "description": "A CLI for formatjs.", - "version": "6.7.0", + "version": "6.7.1", "license": "MIT", "author": "Linjie Ding ", "engines": { pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies: