From 3d292720fc56c781f71c6953729e00a453ff6036 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 5 May 2025 03:35:25 +0000
Subject: [PATCH 1/3] chore(deps): update dependency vite to v6.2.7 [security]
 (#4977)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.2.6` ->
`6.2.7`](https://renovatebot.com/diffs/npm/vite/6.2.6/6.2.7) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3)

### Summary
The contents of files in [the project
`root`](https://vite.dev/config/shared-options.html#root) that are
denied by a file matching pattern can be returned to the browser.

### Impact

Only apps explicitly exposing the Vite dev server to the network (using
--host or [server.host config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.
Only files that are under [project
`root`](https://vite.dev/config/shared-options.html#root) and are denied
by a file matching pattern can be bypassed.

- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`,
`**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`

### Details

[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny)
can contain patterns matching against files (by default it includes
`.env`, `.env.*`, `*.{crt,pem}` as such patterns).
These patterns were able to bypass for files under `root` by using a
combination of slash and dot (`/.`).

### PoC
```
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
```


![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)

![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v6.2.7`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.7)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v6.2.6...v6.2.7)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.7/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/formatjs/formatjs).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 pnpm-lock.yaml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6ff1f52fe5..e7009c9de3 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -330,7 +330,7 @@ importers:
         version: 1.0.4
       vite:
         specifier: ^6
-        version: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
+        version: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
       vitest:
         specifier: ^3
         version: 3.1.1(@types/debug@4.1.12)(@types/node@22.13.10)(happy-dom@17.4.4)(jiti@2.4.2)(jsdom@20.0.3)(terser@5.39.0)(yaml@2.7.1)
@@ -9864,8 +9864,8 @@ packages:
     engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
 
-  vite@6.2.6:
-    resolution: {integrity: sha512-9xpjNl3kR4rVDZgPNdTL0/c6ao4km69a/2ihNQbcANz8RuCOK3hQBmLSJf3bRKVQjVMda+YvizNE8AwvogcPbw==}
+  vite@6.2.7:
+    resolution: {integrity: sha512-qg3LkeuinTrZoJHHF94coSaTfIPyBYoywp+ys4qu20oSJFbKMYoIJo0FWJT9q6Vp49l6z9IsJRbHdcGtiKbGoQ==}
     engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
     peerDependencies:
@@ -13766,13 +13766,13 @@ snapshots:
       chai: 5.2.0
       tinyrainbow: 2.0.0
 
-  '@vitest/mocker@3.1.1(vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))':
+  '@vitest/mocker@3.1.1(vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))':
     dependencies:
       '@vitest/spy': 3.1.1
       estree-walker: 3.0.3
       magic-string: 0.30.17
     optionalDependencies:
-      vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
+      vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
 
   '@vitest/pretty-format@3.1.1':
     dependencies:
@@ -21443,7 +21443,7 @@ snapshots:
       debug: 4.4.0
       es-module-lexer: 1.6.0
       pathe: 2.0.3
-      vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
+      vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
     transitivePeerDependencies:
       - '@types/node'
       - jiti
@@ -21458,7 +21458,7 @@ snapshots:
       - tsx
       - yaml
 
-  vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1):
+  vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1):
     dependencies:
       esbuild: 0.25.3
       postcss: 8.5.3
@@ -21473,7 +21473,7 @@ snapshots:
   vitest@3.1.1(@types/debug@4.1.12)(@types/node@22.13.10)(happy-dom@17.4.4)(jiti@2.4.2)(jsdom@20.0.3)(terser@5.39.0)(yaml@2.7.1):
     dependencies:
       '@vitest/expect': 3.1.1
-      '@vitest/mocker': 3.1.1(vite@6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))
+      '@vitest/mocker': 3.1.1(vite@6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1))
       '@vitest/pretty-format': 3.1.1
       '@vitest/runner': 3.1.1
       '@vitest/snapshot': 3.1.1
@@ -21489,7 +21489,7 @@ snapshots:
       tinyexec: 0.3.2
       tinypool: 1.0.2
       tinyrainbow: 2.0.0
-      vite: 6.2.6(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
+      vite: 6.2.7(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
       vite-node: 3.1.1(@types/node@22.13.10)(jiti@2.4.2)(terser@5.39.0)(yaml@2.7.1)
       why-is-node-running: 2.3.0
     optionalDependencies:

From 23f89da8e482760f6df8df1e6bebf5e0943e3424 Mon Sep 17 00:00:00 2001
From: Long Ho <holevietlong@gmail.com>
Date: Sun, 4 May 2025 23:45:20 -0400
Subject: [PATCH 2/3] fix(@formatjs/cli): support space for in-file

---
 packages/cli-lib/src/cli.ts                                    | 2 +-
 .../extract/__snapshots__/integration.test.ts.snap             | 3 +++
 packages/cli/integration-tests/extract/inFile.txt              | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/packages/cli-lib/src/cli.ts b/packages/cli-lib/src/cli.ts
index 33c076d547..8418a6e22f 100644
--- a/packages/cli-lib/src/cli.ts
+++ b/packages/cli-lib/src/cli.ts
@@ -137,7 +137,7 @@ sentences are not translator-friendly.`
         const inFile = readFileSync(cmdObj.inFile, 'utf8')
         files.push(
           ...inFile
-            .split('\n')
+            .split(/\n|\s+/)
             .filter(Boolean)
             .map(f => resolve(f))
         )
diff --git a/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap b/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap
index 792e970c5c..be2857e7db 100644
--- a/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap
+++ b/packages/cli/integration-tests/extract/__snapshots__/integration.test.ts.snap
@@ -342,6 +342,9 @@ exports[`basic case: inFile 2`] = `
     "defaultMessage": "{count, plural, =0 {😭} one {# kitten} other {# kittens}}",
     "description": "Counts kittens",
   },
+  "bar": {
+    "defaultMessage": "Bar",
+  },
   "escaped.apostrophe": {
     "defaultMessage": "A quoted value ''{value}'",
     "description": "Escaped apostrophe",
diff --git a/packages/cli/integration-tests/extract/inFile.txt b/packages/cli/integration-tests/extract/inFile.txt
index 42bfef397b..4bd9b18629 100644
--- a/packages/cli/integration-tests/extract/inFile.txt
+++ b/packages/cli/integration-tests/extract/inFile.txt
@@ -1,2 +1,2 @@
 defineMessages/actual.js
-duplicated/file1.tsx
\ No newline at end of file
+inFile/file1.tsx inFile/file2.tsx
\ No newline at end of file

From d26fe5a0d2d17c8d6d669ba95989aeb83fc9a0ef Mon Sep 17 00:00:00 2001
From: Long Ho <holevietlong@gmail.com>
Date: Sun, 4 May 2025 23:45:48 -0400
Subject: [PATCH 3/3] build: publish

 - @formatjs/cli-lib@7.4.1
 - @formatjs/cli@6.7.1
---
 packages/cli-lib/CHANGELOG.md | 6 ++++++
 packages/cli-lib/package.json | 2 +-
 packages/cli/CHANGELOG.md     | 6 ++++++
 packages/cli/package.json     | 2 +-
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/cli-lib/CHANGELOG.md b/packages/cli-lib/CHANGELOG.md
index 1a20fc9eef..6a29841008 100644
--- a/packages/cli-lib/CHANGELOG.md
+++ b/packages/cli-lib/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [7.4.1](https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.4.0...@formatjs/cli-lib@7.4.1) (2025-05-05)
+
+### Bug Fixes
+
+* **@formatjs/cli:** support space for in-file ([23f89da](https://github.com/formatjs/formatjs/commit/23f89da8e482760f6df8df1e6bebf5e0943e3424)) - by @longlho
+
 # [7.4.0](https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.3.4...@formatjs/cli-lib@7.4.0) (2025-05-05)
 
 ### Features
diff --git a/packages/cli-lib/package.json b/packages/cli-lib/package.json
index a9c5f7dae8..501451ec1c 100644
--- a/packages/cli-lib/package.json
+++ b/packages/cli-lib/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@formatjs/cli-lib",
   "description": "Lib for CLI for formatjs.",
-  "version": "7.4.0",
+  "version": "7.4.1",
   "license": "MIT",
   "author": "Linjie Ding <linjie@airtable.com>",
   "engines": {
diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md
index 6321927518..d2eac74ed5 100644
--- a/packages/cli/CHANGELOG.md
+++ b/packages/cli/CHANGELOG.md
@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [6.7.1](https://github.com/formatjs/formatjs/compare/@formatjs/cli@6.7.0...@formatjs/cli@6.7.1) (2025-05-05)
+
+### Bug Fixes
+
+* **@formatjs/cli:** support space for in-file ([23f89da](https://github.com/formatjs/formatjs/commit/23f89da8e482760f6df8df1e6bebf5e0943e3424)) - by @longlho
+
 # [6.7.0](https://github.com/formatjs/formatjs/compare/@formatjs/cli@6.6.4...@formatjs/cli@6.7.0) (2025-05-05)
 
 ### Features
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 922cd433a6..dbbc0a10bb 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@formatjs/cli",
   "description": "A CLI for formatjs.",
-  "version": "6.7.0",
+  "version": "6.7.1",
   "license": "MIT",
   "author": "Linjie Ding <linjie@airtable.com>",
   "engines": {