From befeeb09919ed11ca85435ff123082a631e137e1 Mon Sep 17 00:00:00 2001
From: monholm <73996878+monholm@users.noreply.github.com>
Date: Thu, 29 Aug 2024 10:36:28 +0200
Subject: [PATCH 1/2] fix(cli): use caret range for `micromatch` dependency

4.0.2 contains a vulnerability that most likely doesn't affect @lingui/cli, but there should be no
reason to depend on an exact version which prevents consumers from upgrading the package without a
version conflict.
I've kept the version at 4.0.2 to prevent a breaking change (in the sense that bumping it to ^4.0.8
might also cause a version conflict for consumers). Let me know if you'd rather bump it to ^4.0.8.
Ref: https://github.com/advisories/GHSA-952p-6rrq-rcjv
---
 packages/cli/package.json |  2 +-
 yarn.lock                 | 36 +++++++++++++++++++++++++++---------
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/packages/cli/package.json b/packages/cli/package.json
index 1818cbdb5..3dbccefb7 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -68,7 +68,7 @@
     "esbuild": "^0.17.10",
     "glob": "^7.1.4",
     "inquirer": "^7.3.3",
-    "micromatch": "4.0.2",
+    "micromatch": "^4.0.2",
     "normalize-path": "^3.0.0",
     "ora": "^5.1.0",
     "pathe": "^1.1.0",
diff --git a/yarn.lock b/yarn.lock
index d235b23f7..6a4743493 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3260,7 +3260,7 @@ __metadata:
     esbuild: ^0.17.10
     glob: ^7.1.4
     inquirer: ^7.3.3
-    micromatch: 4.0.2
+    micromatch: ^4.0.2
     mock-fs: ^5.2.0
     mockdate: ^3.0.5
     normalize-path: ^3.0.0
@@ -5922,7 +5922,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"braces@npm:^3.0.1, braces@npm:^3.0.2, braces@npm:~3.0.2":
+"braces@npm:^3.0.2, braces@npm:~3.0.2":
   version: 3.0.2
   resolution: "braces@npm:3.0.2"
   dependencies:
@@ -5931,6 +5931,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"braces@npm:^3.0.3":
+  version: 3.0.3
+  resolution: "braces@npm:3.0.3"
+  dependencies:
+    fill-range: ^7.1.1
+  checksum: b95aa0b3bd909f6cd1720ffcf031aeaf46154dd88b4da01f9a1d3f7ea866a79eba76a6d01cbc3c422b2ee5cdc39a4f02491058d5df0d7bf6e6a162a832df1f69
+  languageName: node
+  linkType: hard
+
 "browser-process-hrtime@npm:^1.0.0":
   version: 1.0.0
   resolution: "browser-process-hrtime@npm:1.0.0"
@@ -8480,6 +8489,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"fill-range@npm:^7.1.1":
+  version: 7.1.1
+  resolution: "fill-range@npm:7.1.1"
+  dependencies:
+    to-regex-range: ^5.0.1
+  checksum: b4abfbca3839a3d55e4ae5ec62e131e2e356bf4859ce8480c64c4876100f4df292a63e5bb1618e1d7460282ca2b305653064f01654474aa35c68000980f17798
+  languageName: node
+  linkType: hard
+
 "find-up@npm:^2.0.0":
   version: 2.1.0
   resolution: "find-up@npm:2.1.0"
@@ -11534,13 +11552,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"micromatch@npm:4.0.2":
-  version: 4.0.2
-  resolution: "micromatch@npm:4.0.2"
+"micromatch@npm:^4.0.2":
+  version: 4.0.8
+  resolution: "micromatch@npm:4.0.8"
   dependencies:
-    braces: ^3.0.1
-    picomatch: ^2.0.5
-  checksum: 39590a96d9ffad21f0afac044d0a5af4f33715a16fdd82c53a01c8f5ff6f70832a31b53e52972dac3deff8bf9f0bed0207d1c34e54ab3306a5e4c4efd5f7d249
+    braces: ^3.0.3
+    picomatch: ^2.3.1
+  checksum: 79920eb634e6f400b464a954fcfa589c4e7c7143209488e44baf627f9affc8b1e306f41f4f0deedde97e69cb725920879462d3e750ab3bd3c1aed675bb3a8966
   languageName: node
   linkType: hard
 
@@ -12967,7 +12985,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"picomatch@npm:^2.0.4, picomatch@npm:^2.0.5, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
+"picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
   version: 2.3.1
   resolution: "picomatch@npm:2.3.1"
   checksum: 050c865ce81119c4822c45d3c84f1ced46f93a0126febae20737bd05ca20589c564d6e9226977df859ed5e03dc73f02584a2b0faad36e896936238238b0446cf

From 235cbacced15d91c056d54602eb3f20baf0d056a Mon Sep 17 00:00:00 2001
From: monholm <73996878+monholm@users.noreply.github.com>
Date: Thu, 29 Aug 2024 10:52:52 +0200
Subject: [PATCH 2/2] chore: clean up yarn.lock packages affected by
 `micromatch` caret range

---
 yarn.lock | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 6a4743493..e29483534 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5922,16 +5922,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"braces@npm:^3.0.2, braces@npm:~3.0.2":
-  version: 3.0.2
-  resolution: "braces@npm:3.0.2"
-  dependencies:
-    fill-range: ^7.0.1
-  checksum: e2a8e769a863f3d4ee887b5fe21f63193a891c68b612ddb4b68d82d1b5f3ff9073af066c343e9867a393fe4c2555dcb33e89b937195feb9c1613d259edfcd459
-  languageName: node
-  linkType: hard
-
-"braces@npm:^3.0.3":
+"braces@npm:^3.0.2, braces@npm:^3.0.3, braces@npm:~3.0.2":
   version: 3.0.3
   resolution: "braces@npm:3.0.3"
   dependencies:
@@ -8480,15 +8471,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fill-range@npm:^7.0.1":
-  version: 7.0.1
-  resolution: "fill-range@npm:7.0.1"
-  dependencies:
-    to-regex-range: ^5.0.1
-  checksum: cc283f4e65b504259e64fd969bcf4def4eb08d85565e906b7d36516e87819db52029a76b6363d0f02d0d532f0033c9603b9e2d943d56ee3b0d4f7ad3328ff917
-  languageName: node
-  linkType: hard
-
 "fill-range@npm:^7.1.1":
   version: 7.1.1
   resolution: "fill-range@npm:7.1.1"