[Snyk] Upgrade esbuild from 0.12.29 to 0.14.2 #2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade esbuild from 0.12.29 to 0.14.2.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: esbuild
Add
[ext]
placeholder for path templates (#1799)This release adds the
[ext]
placeholder to the--entry-names=
,--chunk-names=
, and--asset-names=
configuration options. The[ext]
placeholder takes the value of the file extension without the leading.
, and can be used to place output files with different file extensions into different folders. For example,--asset-names=assets/[ext]/[name]-[hash]
might generate an output path ofassets/png/image-LSAMBFUD.png
.This feature was contributed by @ LukeSheard.
Disable star-to-clause transform for external imports (#1801)
When bundling is enabled, esbuild automatically transforms
import * as x from 'y'; x.z()
intoimport {z} as 'y'; z()
to improve tree shaking. This avoids needing to create the import namespace objectx
if it's unnecessary, which can result in the removal of large amounts of unused code. However, this transform shouldn't be done for external imports because that incorrectly changes the semantics of the import. If the exportz
doesn't exist in the previous example, the valuex.z
is a property access that is undefined at run-time, but the valuez
is an import error that will prevent the code from running entirely. This release fixes the problem by avoiding doing this transform for external imports:import * as x from 'y';
x.z();
// Old output (with --bundle --format=esm --external:y)
import { z } from "y";
z();
// New output (with --bundle --format=esm --external:y)
import * as x from "y";
x.z();
Disable
calc()
transform for numbers with many fractional digits (#1821)Version 0.13.12 introduced simplification of
calc()
expressions in CSS when minifying. For example,calc(100% / 4)
turns into25%
. However, this is problematic for numbers with many fractional digits because either the number is printed with reduced precision, which is inaccurate, or the number is printed with full precision, which could be longer than the original expression. For example, turningcalc(100% / 3)
into33.33333%
is inaccurate and turning it into33.333333333333336%
likely isn't desired. In this release, minification ofcalc()
is now disabled when any number in the result cannot be represented to full precision with at most five fractional digits.Fix an edge case with
catch
scope handling (#1812)This release fixes a subtle edge case with
catch
scope and destructuring assignment. Identifiers in computed properties and/or default values inside the destructuring binding pattern should reference the outer scope, not the inner scope. The fix was to split the destructuring pattern into its own scope, separate from thecatch
body. Here's an example of code that was affected by this edge case:let foo = 1
try {
throw ['a', 'b']
} catch ({ [foo]: y }) {
let foo = 2
assert(y === 'b')
}
// Old output (with --minify)
let foo=1;try{throw["a","b"]}catch({[o]:t}){let o=2;assert(t==="b")}
// New output (with --minify)
let foo=1;try{throw["a","b"]}catch({[foo]:t}){let o=2;assert(t==="b")}
Go 1.17.2 was upgraded to Go 1.17.4
The previous release was built with Go 1.17.2, but this release is built with Go 1.17.4. This is just a routine upgrade. There are no changes significant to esbuild outside of some security-related fixes to Go's HTTP stack (but you shouldn't be running esbuild's dev server in production anyway).
One notable change related to this is that esbuild's publishing script now ensures that git's state is free of uncommitted and/or untracked files before building. Previously this wasn't the case because publishing esbuild involved changing the version number, running the publishing script, and committing at the end, which meant that files were uncommitted during the build process. I also typically had some untracked test files in the same directory during publishing (which is harmless).
This matters because there's an upcoming change in Go 1.18 where the Go compiler will include metadata about whether there are untracked files or not when doing a build: golang/go#37475. Changing esbuild's publishing script should mean that when esbuild upgrades to Go 1.18, esbuild's binary executables will be marked as being built off of a specific commit without any modifications. This is important for reproducibility. Checking out a specific esbuild commit and building it should give a bitwise-identical binary executable to one that I published. But if this metadata indicated that there were untracked files during the published build, then the resulting executable would no longer be bitwise-identical.
Fix
imports
inpackage.json
(#1807)This release contains a fix for the rarely-used
imports
feature inpackage.json
files that lets a package specify a custom remapping for import paths inside that package that start with#
. Support forimports
was added in version 0.13.9. However, the field was being incorrectly interpreted as relative to the importing file instead of to thepackage.json
file, which caused an import failure when the importing file is in a subdirectory instead of being at the top level of the package. Import paths should now be interpreted as relative to the correct directory which should fix these path resolution failures.Isolate implicit sibling scope lookup for
enum
andnamespace
The previous release implemented sibling namespaces in TypeScript, which introduces a new kind of scope lookup that doesn't exist in JavaScript. Exported members inside an
enum
ornamespace
block can be implicitly referenced in a siblingenum
ornamespace
block just by using the name without using a property reference. However, this behavior appears to only work forenum
-to-enum
andnamespace
-to-namespace
interactions. Even though sibling enums and namespaces with the same name can be merged together into the same underlying object, this implicit reference behavior doesn't work forenum
-to-namespace
interactions and attempting to do this with anamespace
-to-enum
interaction causes the TypeScript compiler itself to crash. Here is an example of how the TypeScript compiler behaves in each case:enum a { b = 1 }
enum a { c = b }
// "e" is accessible
namespace d { export let e = 1 }
namespace d { export let f = e }
// "h" is inaccessible
enum g { h = 1 }
namespace g { export let i = h }
// This causes the TypeScript compiler to crash
namespace j { export let k = 1 }
enum j { l = k }
This release changes the implicit sibling scope lookup behavior to only work for
enum
-to-enum
andnamespace
-to-namespace
interactions. These implicit references no longer work withenum
-to-namespace
andnamespace
-to-enum
interactions, which should more accurately match the behavior of the TypeScript compiler.Add semicolon insertion before TypeScript-specific definite assignment assertion modifier (#1810)
TypeScript lets you add a
!
after a variable declaration to bypass TypeScript's definite assignment analysis:initialize();
x.push(4);
function initialize() { x = [0, 1, 2, 3]; }
This
!
is called a definite assignment assertion and tells TypeScript to assume that the variable has been initialized somehow. However, JavaScript's automatic semicolon insertion rules should be able to insert a semicolon before it:Previously the above code was incorrectly considered a syntax error in TypeScript. With this release, this code is now parsed correctly.
Log output to stderr has been overhauled
This release changes the way log messages are formatted to stderr. The changes make the kind of message (e.g. error vs. warning vs. note) more obvious, and they also give more room for paragraph-style notes that can provide more detail about the message. Here's an example:
Before:
After:
const enum Foo { FOO }
console.log(Foo.FOO)
// Old output
console.log(0);
// New output
console.log(0 /* FOO */);
This matches the behavior of the TypeScript compiler, and should help with debugging. These comments are not generated if minification is enabled.
Read more
Read more
Read more
Read more
Read more
Read more
Read more
Read more
Commit messages
Package name: esbuild
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs