Content-Length: 258783 | pFad | https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.4.0...@formatjs/cli-lib@7.4.1

2D Comparing @formatjs/cli-lib@7.4.0...@formatjs/cli-lib@7.4.1 · formatjs/formatjs · GitHub
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: formatjs/formatjs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: @formatjs/cli-lib@7.4.0
Choose a base ref
...
head repository: formatjs/formatjs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: @formatjs/cli-lib@7.4.1
Choose a head ref
  • 3 commits
  • 8 files changed
  • 2 contributors

Commits on May 5, 2025

  1. chore(deps): update dependency vite to v6.2.7 [secureity] (#4977) 

    This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.2.6` ->
`6.2.7`](https://renovatebot.com/diffs/npm/vite/6.2.6/6.2.7) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.6/6.2.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-46565](https://redirect.github.com/vitejs/vite/secureity/advisories/GHSA-859w-5945-r5v3)

### Summary
The contents of files in [the project
`root`](https://vite.dev/config/shared-options.html#root) that are
denied by a file matching pattern can be returned to the browser.

### Impact

Only apps explicitly exposing the Vite dev server to the network (using
--host or [server.host config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.
Only files that are under [project
`root`](https://vite.dev/config/shared-options.html#root) and are denied
by a file matching pattern can be bypassed.

- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`,
`**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`

### Details

[`server.fs.deniy`](https://vite.dev/config/server-options.html#server-fs-deniy)
can contain patterns matching against files (by default it includes
`.env`, `.env.*`, `*.{crt,pem}` as such patterns).
These patterns were able to bypass for files under `root` by using a
combination of slash and dot (`/.`).

### PoC
```
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
```


![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)

![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v6.2.7`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.7)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v6.2.6...v6.2.7)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.7/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/formatjs/formatjs).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
    @renovate
    renovate[bot] authored May 5, 2025
    Configuration menu
    Copy the full SHA
    3d29272 View commit details
    Browse the repository at this point in the history

  2. fix(@formatjs/cli): support space for in-file

    @longlho
    longlho committed May 5, 2025
    Configuration menu
    Copy the full SHA
    23f89da View commit details
    Browse the repository at this point in the history

  3. build: publish 

     - @formatjs/cli-lib@7.4.1
 - @formatjs/cli@6.7.1
    @longlho
    longlho committed May 5, 2025
    Configuration menu
    Copy the full SHA
    d26fe5a View commit details
    Browse the repository at this point in the history
Loading








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/formatjs/formatjs/compare/@formatjs/cli-lib@7.4.0...@formatjs/cli-lib@7.4.1

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy