[Snyk] Upgrade esbuild from 0.15.18 to 0.17.17 #2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade esbuild from 0.15.18 to 0.17.17.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: esbuild
Fix CSS nesting transform for top-level
&
(#3052)Previously esbuild could crash with a stack overflow when lowering CSS nesting rules with a top-level
&
, such as in the code below. This happened because esbuild's CSS nesting transform didn't handle top-level&
, causing esbuild to inline the top-level selector into itself. This release handles top-level&
by replacing it with the:scope
pseudo-class:&,
a {
.b {
color: red;
}
}
/* New output (with --target=chrome90) */
:is(:scope, a) .b {
color: red;
}
Support
exports
inpackage.json
forextends
intsconfig.json
(#3058)TypeScript 5.0 added the ability to use
extends
intsconfig.json
to reference a path in a package whosepackage.json
file contains anexports
map that points to the correct location. This doesn't automatically work in esbuild becausetsconfig.json
affects esbuild's path resolution, so esbuild's normal path resolution logic doesn't apply.This release adds support for doing this by adding some additional code that attempts to resolve the
extends
path using theexports
field. The behavior should be similar enough to esbuild's main path resolution logic to work as expected.Note that esbuild always treats this
extends
import as arequire()
import since that's what TypeScript appears to do. Specifically therequire
condition will be active and theimport
condition will be inactive.Fix watch mode with
NODE_PATH
(#3062)Node has a rarely-used feature where you can extend the set of directories that node searches for packages using the
NODE_PATH
environment variable. While esbuild supports this too, previously a bug prevented esbuild's watch mode from picking up changes to imported files that were contained directly in aNODE_PATH
directory. You're supposed to useNODE_PATH
for packages, but some people abuse this feature by putting files in that directory instead (e.g.node_modules/some-file.js
instead ofnode_modules/some-pkg/some-file.js
). The watch mode bug happens when you do this because esbuild first tries to readsome-file.js
as a directory and then as a file. Watch mode was incorrectly waiting forsome-file.js
to become a valid directory. This release fixes this edge case bug by changing watch mode to watchsome-file.js
as a file when this happens.Fix CSS nesting transform for triple-nested rules that start with a combinator (#3046)
This release fixes a bug with esbuild where triple-nested CSS rules that start with a combinator were not transformed correctly for older browsers. Here's an example of such a case before and after this bug fix:
.a {
color: red;
> .b {
color: green;
> .c {
color: blue;
}
}
}
/* Old output (with --target=chrome90) */
.a {
color: red;
}
.a > .b {
color: green;
}
.a .b > .c {
color: blue;
}
/* New output (with --target=chrome90) */
.a {
color: red;
}
.a > .b {
color: green;
}
.a > .b > .c {
color: blue;
}
Support
--inject
with a file loaded using thecopy
loader (#3041)This release now allows you to use
--inject
with a file that is loaded using thecopy
loader. Thecopy
loader copies the imported file to the output directory verbatim and rewrites the path in theimport
statement to point to the copied output file. When used with--inject
, this means the injected file will be copied to the output directory as-is and a bareimport
statement for that file will be inserted in any non-copy output files that esbuild generates.Note that since esbuild doesn't parse the contents of copied files, esbuild will not expose any of the export names as usable imports when you do this (in the way that esbuild's
--inject
feature is typically used). However, any side-effects that the injected file has will still occur.Allow keywords as type parameter names in mapped types (#3033)
TypeScript allows type keywords to be used as parameter names in mapped types. Previously esbuild incorrectly treated this as an error. Code that does this is now supported:
Add annotations for re-exported modules in node (#2486, #3029)
Node lets you import named imports from a CommonJS module using ESM import syntax. However, the allowed names aren't derived from the properties of the CommonJS module. Instead they are derived from an arbitrary syntax-only analysis of the CommonJS module's JavaScript AST.
To accommodate node doing this, esbuild's ESM-to-CommonJS conversion adds a special non-executable "annotation" for node that describes the exports that node should expose in this scenario. It takes the form
0 && (module.exports = { ... })
and comes at the end of the file (0 && expr
meansexpr
is never evaluated).Previously esbuild didn't do this for modules re-exported using the
export * from
syntax. Annotations for these re-exports will now be added starting with this release:export { foo } from './foo'
export * from './bar'
// Old output (with --format=cjs --platform=node)
...
0 && (module.exports = {
foo
});
// New output (with --format=cjs --platform=node)
...
0 && (module.exports = {
foo,
...require("./bar")
});
Note that you need to specify both
--format=cjs
and--platform=node
to get these node-specific annotations.Avoid printing an unnecessary space in between a number and a
.
(#3026)JavaScript typically requires a space in between a number token and a
.
token to avoid the.
being interpreted as a decimal point instead of a member expression. However, this space is not required if the number token itself contains a decimal point, an exponent, or uses a base other than 10. This release of esbuild now avoids printing the unnecessary space in these cases:foo(1000 .x, 0 .x, 0.1 .x, 0.0001 .x, 0xFFFF_0000_FFFF_0000 .x)
// Old output (with --minify)
foo(1e3 .x,0 .x,.1 .x,1e-4 .x,0xffff0000ffff0000 .x);
// New output (with --minify)
foo(1e3.x,0 .x,.1.x,1e-4.x,0xffff0000ffff0000.x);
Fix server-sent events with live reload when writing to the file system root (#3027)
This release fixes a bug where esbuild previously failed to emit server-sent events for live reload when
outdir
was the file system root, such as/
. This happened because/
is the only path on Unix that cannot have a trailing slash trimmed from it, which was fixed by improved path handling.Read more
Work around an issue with
NODE_PATH
and Go's WebAssembly internals (#3001)Go's WebAssembly implementation returns
EINVAL
instead ofENOTDIR
when using thereaddir
syscall on a file. This messes up esbuild's implementation of node's module resolution algorithm since encounteringENOTDIR
causes esbuild to continue its search (since it's a normal condition) while other encountering other errors causes esbuild to fail with an I/O error (since it's an unexpected condition). You can encounter this issue in practice if you use node's legacyNODE_PATH
feature to tell esbuild to resolve node modules in a custom directory that was not installed by npm. This release works around this problem by convertingEINVAL
intoENOTDIR
for thereaddir
syscall.Fix a minification bug with CSS
@ layer
rules that have parsing errors (#3016)CSS at-rules require either a
{}
block or a semicolon at the end. Omitting both of these causes esbuild to treat the rule as an unknown at-rule. Previous releases of esbuild had a bug that incorrectly removed unknown at-rules without any children during minification if the at-rule token matched an at-rule that esbuild can handle. Specifically cssnano can generate@ layer
rules with parsing errors, and empty@ layer
rules cannot be removed because they have side effects (@ layer
didn't exist when esbuild's CSS support was added, so esbuild wasn't written to handle this). This release changes esbuild to no longer discard@ layer
rules with parsing errors when minifying (the rule@ layer c
has a parsing error):@ layer a {
@ layer b {
@ layer c
}
}
/* Old output (with --minify) */
@ layer a.b;
/* New output (with --minify) */
@ layer a.b.c;
Unterminated strings in CSS are no longer an error
The CSS specification provides rules for handling parsing errors. One of those rules is that user agents must close strings upon reaching the end of a line (i.e., before an unescaped line feed, carriage return or form feed character), but then drop the construct (declaration or rule) in which the string was found. For example:
...would be treated the same as:
...because the second declaration (from
font-family
to the semicolon aftercolor: red
) is invalid and is dropped.Previously using this CSS with esbuild failed to build due to a syntax error, even though the code can be interpreted by a browser. With this release, the code now produces a warning instead of an error, and esbuild prints the invalid CSS such that it stays invalid in the output:
Fix a crash when parsing inline TypeScript decorators (#2991)
Previously esbuild's TypeScript parser crashed when parsing TypeScript decorators if the definition of the decorator was inlined into the decorator itself:
This crash was not noticed earlier because this edge case did not have test coverage. The crash is fixed in this release.
Read more
Read more
Read more
Read more
Commit messages
Package name: esbuild
/1
route? withastro/astro#3058: support `extends` that uses `exports`this
being modified toglobalThis
within XElement code withastro/astro#3052: replace top-level `&` css with `:scope`@ianvs/prettier-plugin-sort-imports
withastro/astro#3029: node re-export annotationsexport interface Props
withastro/astro#1945: initial lowering code for css nestingCompare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs