[Snyk] Upgrade esbuild from 0.18.13 to 0.18.14 #1

fishylunar · 2023-08-08T17:12:07Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.18.14.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 1 version ahead of your current version.
The recommended version was released 22 days ago, on 2023-07-18.

Release notes

Package name: esbuild

0.18.14 - 2023-07-18
- Implement local CSS names (#20)
  
  This release introduces two new loaders called global-css and local-css and two new pseudo-class selectors :local() and :global(). This is a partial implementation of the popular CSS modules approach for avoiding unintentional name collisions in CSS. I'm not calling this feature "CSS modules" because although some people in the community call it that, other people in the community have started using "CSS modules" to refer to something completely different and now CSS modules is an overloaded term.
  
  Here's how this new local CSS name feature works with esbuild:
  - Identifiers that look like .className and #idName are global with the global-css loader and local with the local-css loader. Global identifiers are the same across all files (the way CSS normally works) but local identifiers are different between different files. If two separate CSS files use the same local identifier .button, esbuild will automatically rename one of them so that they don't collide. This is analogous to how esbuild automatically renames JS local variables with the same name in separate JS files to avoid name collisions.
  - It only makes sense to use local CSS names with esbuild when you are also using esbuild's bundler to bundle JS files that import CSS files. When you do that, esbuild will generate one export for each local name in the CSS file. The JS code can import these names and use them when constructing HTML DOM. For example:
```
// app.js
import { outerShell } from './app.css'
const div = document.createElement('div')
div.className = outerShell
document.body.appendChild(div)
```
```
/* app.css */
.outerShell {
  position: absolute;
  inset: 0;
}
```
    When you bundle this with esbuild app.js --bundle --loader:.css=local-css --outdir=out you'll now get this (notice how the local CSS name outerShell has been renamed):
    
    // out/app.js
    (() => {
    // app.css
    var outerShell = "app_outerShell";
    
    // app.js
    var div = document.createElement("div");
    div.className = outerShell;
    document.body.appendChild(div);
    })();
```
/* out/app.css */
.app_outerShell {
  position: absolute;
  inset: 0;
}
```
    This feature only makes sense to use when bundling is enabled both because your code needs to import the renamed local names so that it can use them, and because esbuild needs to be able to process all CSS files containing local names in a single bundling operation so that it can successfully rename conflicting local names to avoid collisions.
  - If you are in a global CSS file (with the global-css loader) you can create a local name using :local(), and if you are in a local CSS file (with the local-css loader) you can create a global name with :global(). So the choice of the global-css loader vs. the local-css loader just sets the default behavior for identifiers, but you can override it on a case-by-case basis as necessary. For example:
```
:local(.button) {
  color: red;
}
:global(.button) {
  color: blue;
}
```
    Processing this CSS file with esbuild with either the global-css or local-css loader will result in something like this:
```
.stdin_button {
  color: red;
}
.button {
  color: blue;
}
```
  - The names that esbuild generates for local CSS names are an implementation detail and are not intended to be hard-coded anywhere. The only way you should be referencing the local CSS names in your JS or HTML is with an import statement in JS that is bundled with esbuild, as demonstrated above. For example, when --minify is enabled esbuild will use a different name generation algorithm which generates names that are as short as possible (analogous to how esbuild minifies local identifiers in JS).
  - You can easily use both global CSS files and local CSS files simultaneously if you give them different file extensions. For example, you could pass --loader:.css=global-css and --loader:.module.css=local-css to esbuild so that .css files still use global names by default but .module.css files use local names by default.
  - Keep in mind that the css loader is different than the global-css loader. The :local and :global annotations are not enabled with the css loader and will be passed through unchanged. This allows you to have the option of using esbuild to process CSS containing while preserving these annotations. It also means that local CSS names are disabled by default for now (since the css loader is currently the default for CSS files). The :local and :global syntax may be enabled by default in a future release.
  Note that esbuild's implementation does not currently have feature parity with other implementations of modular CSS in similar tools. This is only a preliminary release with a partial implementation that includes some basic behavior to get the process started. Additional behavior may be added in future releases. In particular, this release does not implement:
  - The composes pragma
  - Tree shaking for unused local CSS
  - Local names for keyframe animations, grid lines, @ container, @ counter-style, etc.
  Issue #20 (the issue for this feature) is esbuild's most-upvoted issue! While this release still leaves that issue open, it's an important first step in that direction.
- Parse :is, :has, :not, and :where in CSS
  
  With this release, esbuild will now parse the contents of these pseudo-class selectors as a selector list. This means you will now get syntax warnings within these selectors for invalid selector syntax. It also means that esbuild's CSS nesting transform behaves slightly differently than before because esbuild is now operating on an AST instead of a token stream. For example:
  
  / Original code */
  div {
  :where(.foo&) {
  color: red;
  }
  }
  
  /* Old output (with --target=chrome90) */
  :where(.foo:is(div)) {
  color: red;
  }
  
  /* New output (with --target=chrome90) */
  :where(div.foo) {
  color: red;
  }
0.18.13 - 2023-07-15
- Add the --drop-labels= option (#2398)
  
  If you want to conditionally disable some development-only code and have it not be present in the final production bundle, right now the most straightforward way of doing this is to use the --define: flag along with a specially-named global variable. For example, consider the following code:
```
function main() {
  DEV && doAnExpensiveCheck()
}
```
  You can build this for development and production like this:
  - Development: esbuild --define:DEV=true
  - Production: esbuild --define:DEV=false
  One drawback of this approach is that the resulting code crashes if you don't provide a value for DEV with --define:. In practice this isn't that big of a problem, and there are also various ways to work around this.
  
  However, another approach that avoids this drawback is to use JavaScript label statements instead. That's what the --drop-labels= flag implements. For example, consider the following code:
```
function main() {
  DEV: doAnExpensiveCheck()
}
```
  With this release, you can now build this for development and production like this:
  - Development: esbuild
  - Production: esbuild --drop-labels=DEV
  This means that code containing optional development-only checks can now be written such that it's safe to run without any additional configuration. The --drop-labels= flag takes comma-separated list of multiple label names to drop.
- Avoid causing unhandledRejection during shutdown (#3219)
  
  All pending esbuild JavaScript API calls are supposed to fail if esbuild's underlying child process is unexpectedly terminated. This can happen if SIGINT is sent to the parent node process with Ctrl+C, for example. Previously doing this could also cause an unhandled promise rejection when esbuild attempted to communicate this failure to its own child process that no longer exists. This release now swallows this communication failure, which should prevent this internal unhandled promise rejection. This change means that you can now use esbuild's JavaScript API with a custom SIGINT handler that extends the lifetime of the node process without esbuild's internals causing an early exit due to an unhandled promise rejection.
- Update browser compatibility table scripts
  
  The scripts that esbuild uses to compile its internal browser compatibility table have been overhauled. Briefly:
  - Converted from JavaScript to TypeScript
  - Fixed some bugs that resulted in small changes to the table
  - Added caniuse-lite and @ mdn/browser-compat-data as new data sources (replacing manually-copied information)
  This change means it's now much easier to keep esbuild's internal compatibility tables up to date. You can review the table changes here if you need to debug something about this change:
  - JS table changes
  - CSS table changes

from esbuild GitHub release notes

Commit messages

Package name: esbuild

af0fe32 publish 0.18.14 to npm
fd1ddfa css: implement bare `:global` and `:local`
5c23bee css: match other local/global implementations
3dc8372 css: disallow `,` in `:local` and `:global`
7db1264 css: add a `global-css` loader with global symbols
9ff3860 css: source map tests can now be more accurate
feea007 css: emit mappings for calc reductions
e3f6eb8 css: emit mappings for tokens
9410725 css: emit mappings for subclass selectors
c6e14ef css: emit mappings for nesting selectors
987b08a css: wrap subclass selectors in a struct
1bce9c1 css: emit mappings for type selectors
002e020 css: always emit mappings for symbols
78d9bbe css: move mappings after indents, like js
06e816c css: source mappings for combinators
b42b645 css: release notes for local names in css ([Snyk] Upgrade: commander, esbuild, ip #20)
82706ab css: add source mappings for renamed local names
e29b8b6 css: give source mappings to closing braces
058b86b css: implement `:local()` and `:global()`
2bfee72 css: use character frequency analysis for minify
04f6144 css: rename local names to avoid collisions
b935f17 move histogram stuff from `js_ast` to `ast`
dd7070c always run property mangling
72d8235 css: add a `local-css` loader with local symbols