[Snyk] Upgrade esbuild from 0.12.29 to 0.14.2 #2

snyk-bot · 2022-01-01T12:22:38Z

Snyk has created this PR to upgrade esbuild from 0.12.29 to 0.14.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 19 versions ahead of your current version.
The recommended version was released a month ago, on 2021-12-04.

Release notes

Package name: esbuild

0.14.2 - 2021-12-04
- Add [ext] placeholder for path templates (#1799)
  
  This release adds the [ext] placeholder to the --entry-names=, --chunk-names=, and --asset-names= configuration options. The [ext] placeholder takes the value of the file extension without the leading ., and can be used to place output files with different file extensions into different folders. For example, --asset-names=assets/[ext]/[name]-[hash] might generate an output path of assets/png/image-LSAMBFUD.png.
  
  This feature was contributed by @ LukeSheard.
- Disable star-to-clause transform for external imports (#1801)
  
  When bundling is enabled, esbuild automatically transforms import * as x from 'y'; x.z() into import {z} as 'y'; z() to improve tree shaking. This avoids needing to create the import namespace object x if it's unnecessary, which can result in the removal of large amounts of unused code. However, this transform shouldn't be done for external imports because that incorrectly changes the semantics of the import. If the export z doesn't exist in the previous example, the value x.z is a property access that is undefined at run-time, but the value z is an import error that will prevent the code from running entirely. This release fixes the problem by avoiding doing this transform for external imports:
  
  // Original code
  import * as x from 'y';
  x.z();
  
  // Old output (with --bundle --format=esm --external:y)
  import { z } from "y";
  z();
  
  // New output (with --bundle --format=esm --external:y)
  import * as x from "y";
  x.z();
- Disable calc() transform for numbers with many fractional digits (#1821)
  
  Version 0.13.12 introduced simplification of calc() expressions in CSS when minifying. For example, calc(100% / 4) turns into 25%. However, this is problematic for numbers with many fractional digits because either the number is printed with reduced precision, which is inaccurate, or the number is printed with full precision, which could be longer than the original expression. For example, turning calc(100% / 3) into 33.33333% is inaccurate and turning it into 33.333333333333336% likely isn't desired. In this release, minification of calc() is now disabled when any number in the result cannot be represented to full precision with at most five fractional digits.
- Fix an edge case with catch scope handling (#1812)
  
  This release fixes a subtle edge case with catch scope and destructuring assignment. Identifiers in computed properties and/or default values inside the destructuring binding pattern should reference the outer scope, not the inner scope. The fix was to split the destructuring pattern into its own scope, separate from the catch body. Here's an example of code that was affected by this edge case:
  
  // Original code
  let foo = 1
  try {
  throw ['a', 'b']
  } catch ({ [foo]: y }) {
  let foo = 2
  assert(y === 'b')
  }
  
  // Old output (with --minify)
  let foo=1;try{throw["a","b"]}catch({[o]:t}){let o=2;assert(t==="b")}
  
  // New output (with --minify)
  let foo=1;try{throw["a","b"]}catch({[foo]:t}){let o=2;assert(t==="b")}
- Go 1.17.2 was upgraded to Go 1.17.4
  
  The previous release was built with Go 1.17.2, but this release is built with Go 1.17.4. This is just a routine upgrade. There are no changes significant to esbuild outside of some security-related fixes to Go's HTTP stack (but you shouldn't be running esbuild's dev server in production anyway).
  
  One notable change related to this is that esbuild's publishing script now ensures that git's state is free of uncommitted and/or untracked files before building. Previously this wasn't the case because publishing esbuild involved changing the version number, running the publishing script, and committing at the end, which meant that files were uncommitted during the build process. I also typically had some untracked test files in the same directory during publishing (which is harmless).
  
  This matters because there's an upcoming change in Go 1.18 where the Go compiler will include metadata about whether there are untracked files or not when doing a build: golang/go#37475. Changing esbuild's publishing script should mean that when esbuild upgrades to Go 1.18, esbuild's binary executables will be marked as being built off of a specific commit without any modifications. This is important for reproducibility. Checking out a specific esbuild commit and building it should give a bitwise-identical binary executable to one that I published. But if this metadata indicated that there were untracked files during the published build, then the resulting executable would no longer be bitwise-identical.
0.14.1 - 2021-11-30
- Fix imports in package.json (#1807)
  
  This release contains a fix for the rarely-used imports feature in package.json files that lets a package specify a custom remapping for import paths inside that package that start with #. Support for imports was added in version 0.13.9. However, the field was being incorrectly interpreted as relative to the importing file instead of to the package.json file, which caused an import failure when the importing file is in a subdirectory instead of being at the top level of the package. Import paths should now be interpreted as relative to the correct directory which should fix these path resolution failures.
- Isolate implicit sibling scope lookup for enum and namespace
  
  The previous release implemented sibling namespaces in TypeScript, which introduces a new kind of scope lookup that doesn't exist in JavaScript. Exported members inside an enum or namespace block can be implicitly referenced in a sibling enum or namespace block just by using the name without using a property reference. However, this behavior appears to only work for enum-to-enum and namespace-to-namespace interactions. Even though sibling enums and namespaces with the same name can be merged together into the same underlying object, this implicit reference behavior doesn't work for enum-to-namespace interactions and attempting to do this with a namespace-to-enum interaction causes the TypeScript compiler itself to crash. Here is an example of how the TypeScript compiler behaves in each case:
  
  // "b" is accessible
  enum a { b = 1 }
  enum a { c = b }
  
  // "e" is accessible
  namespace d { export let e = 1 }
  namespace d { export let f = e }
  
  // "h" is inaccessible
  enum g { h = 1 }
  namespace g { export let i = h }
  
  // This causes the TypeScript compiler to crash
  namespace j { export let k = 1 }
  enum j { l = k }
  
  This release changes the implicit sibling scope lookup behavior to only work for enum-to-enum and namespace-to-namespace interactions. These implicit references no longer work with enum-to-namespace and namespace-to-enum interactions, which should more accurately match the behavior of the TypeScript compiler.
- Add semicolon insertion before TypeScript-specific definite assignment assertion modifier (#1810)
  
  TypeScript lets you add a ! after a variable declaration to bypass TypeScript's definite assignment analysis:
  
  let x!: number[];
  initialize();
  x.push(4);
  
  function initialize() { x = [0, 1, 2, 3]; }
  
  This ! is called a definite assignment assertion and tells TypeScript to assume that the variable has been initialized somehow. However, JavaScript's automatic semicolon insertion rules should be able to insert a semicolon before it:
```
let a
!function(){}()
```
  Previously the above code was incorrectly considered a syntax error in TypeScript. With this release, this code is now parsed correctly.
- Log output to stderr has been overhauled
  
  This release changes the way log messages are formatted to stderr. The changes make the kind of message (e.g. error vs. warning vs. note) more obvious, and they also give more room for paragraph-style notes that can provide more detail about the message. Here's an example:
  
  Before:
```
 > example.tsx:14:25: warning: Comparison with -0 using the "===" operator will also match 0
    14 │     case 1: return x === -0
       ╵                          ~~
 > example.tsx:21:23: error: Could not resolve "path" (use "--platform=node" when building for node)
    21 │   const path = require('path')
       ╵                        ~~~~~~
```
  After:
  
  // Original code
  const enum Foo { FOO }
  console.log(Foo.FOO)
  
  // Old output
  console.log(0);
  
  // New output
  console.log(0 /* FOO */);
  
  This matches the behavior of the TypeScript compiler, and should help with debugging. These comments are not generated if minification is enabled.
0.14.0 - 2021-11-26
Read more
0.13.15 - 2021-11-20
Read more
0.13.14 - 2021-11-16
Read more
0.13.13 - 2021-11-09
Read more
0.13.12 - 2021-10-31
Read more
0.13.11 - 2021-10-30
Read more
0.13.10 - 2021-10-28
Read more
0.13.9 - 2021-10-23
Read more
0.13.8 - 2021-10-17
0.13.7 - 2021-10-15
0.13.6 - 2021-10-14
0.13.5 - 2021-10-13
0.13.4 - 2021-10-05
0.13.3 - 2021-09-28
0.13.2 - 2021-09-23
0.13.1 - 2021-09-23
0.13.0 - 2021-09-22
0.12.29 - 2021-09-22

from esbuild GitHub release notes

Commit messages

Package name: esbuild

108719d publish 0.14.2 to npm
d1e475e add a note about the go upgrade
bfd1c97 more tweaks to makefile
46ab8dc remove accidental "node_modules" dependency
0937255 Makefile: use "$(MAKE)" instead of "make"
af05ebd avoid npm for package version assignment
21b7bd5 remove test code evaluation from publish flow
5f43033 publish checks for uncommitted/untracked changes
86974fb add rollup to ci tests
be48699 rollup tests: skip "watch" tests to avoid flakes
61de1a6 rollup tests 2.58.0 => 2.60.2
130c7df attempt to eliminate test flakes
fa159e4 upgrade go 1.17.2 to go 1.17.4
7006a09 release notes for Allow inline code blocks to wrap lines withastro/astro#1799
640727d Add ability to pass '[ext]' template to output file name templates (Allow inline code blocks to wrap lines withastro/astro#1799)
ff6c050 "use strict" only works in module/function bodies
54c0eae update uglify tests
31c22de fix "arguments" nested function scope hoisting
4893c32 fix 💡 RFC: Exposing more type definition for a more self documenting library withastro/astro#1812: "catch" scope destructuring edge case
305d26a forbid labelled functions in strict mode
e566fc3 forbid "arguments" in static class blocks
1c14bcb propagate "use strict" to parent scope in function
4093d0d fix 🐛 BUG: Astro.resolve() not working as expected ([email protected]) withastro/astro#1821: disable unsafe "calc()" simplification
e9340eb tests for Use normalized path to detect layout files withastro/astro#1822 with external css and query/hash