Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade esbuild from 0.18.13 to 0.21.1 #12

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

fishylunar
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.21.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 25 versions ahead of your current version.

  • The recommended version was released on 22 days ago.

Release notes
Package name: esbuild
  • 0.21.1 - 2024-05-07
    • Fix a regression with --keep-names (#3756)

      The previous release introduced a regression with the --keep-names setting and object literals with get/set accessor methods, in which case the generated code contained syntax errors. This release fixes the regression:

      // Original code
      x = { get y() {} }

      // Output from version 0.21.0 (with --keep-names)
      x = { get y: /* @ PURE */ __name(function() {
      }, "y") };

      // Output from this version (with --keep-names)
      x = { get y() {
      } };

  • 0.21.0 - 2024-05-07

    This release doesn't contain any deliberately-breaking changes. However, it contains a very complex new feature and while all of esbuild's tests pass, I would not be surprised if an important edge case turns out to be broken. So I'm releasing this as a breaking change release to avoid causing any trouble. As usual, make sure to test your code when you upgrade.

    • Implement the JavaScript decorators proposal (#104)

      With this release, esbuild now contains an implementation of the upcoming JavaScript decorators proposal. This is the same feature that shipped in TypeScript 5.0 and has been highly-requested on esbuild's issue tracker. You can read more about them in that blog post and in this other (now slightly outdated) extensive blog post here: https://2ality.com/2022/10/javascript-decorators.html. Here's a quick example:

      const log = (fn, context) => function() {
      console.log(before <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">context</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>)
      const it = fn.apply(this, arguments)
      console.log(after <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">context</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>)
      return it
      }

      class Foo {
      @log static foo() {
      console.log('in foo')
      }
      }

      // Logs "before foo", "in foo", "after foo"
      Foo.foo()

      Note that this feature is different than the existing "TypeScript experimental decorators" feature that esbuild already implements. It uses similar syntax but behaves very differently, and the two are not compatible (although it's sometimes possible to write decorators that work with both). TypeScript experimental decorators will still be supported by esbuild going forward as they have been around for a long time, are very widely used, and let you do certain things that are not possible with JavaScript decorators (such as decorating function parameters). By default esbuild will parse and transform JavaScript decorators, but you can tell esbuild to parse and transform TypeScript experimental decorators instead by setting "experimentalDecorators": true in your tsconfig.json file.

      Probably at least half of the work for this feature went into creating a test suite that exercises many of the proposal's edge cases: https://github.com/evanw/decorator-tests. It has given me a reasonable level of confidence that esbuild's initial implementation is acceptable. However, I don't have access to a significant sample of real code that uses JavaScript decorators. If you're currently using JavaScript decorators in a real code base, please try out esbuild's implementation and let me know if anything seems off.

      ⚠️ WARNING ⚠️

      This proposal has been in the works for a very long time (work began around 10 years ago in 2014) and it is finally getting close to becoming part of the JavaScript language. However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorators may need to be updated as the feature continues to evolve. The decorators proposal is pretty close to its final form but it can and likely will undergo some small behavioral adjustments before it ends up becoming a part of the standard. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

    • Optimize the generated code for private methods

      Previously when lowering private methods for old browsers, esbuild would generate one WeakSet for each private method. This mirrors similar logic for generating one WeakSet for each private field. Using a separate WeakMap for private fields is necessary as their assignment can be observable:

      let it
      class Bar {
        constructor() {
          it = this
        }
      }
      class Foo extends Bar {
        #x = 1
        #y = null.foo
        static check() {
          console.log(#x in it, #y in it)
        }
      }
      try { new Foo } catch {}
      Foo.check()

      This prints true false because this partially-initialized instance has #x but not #y. In other words, it's not true that all class instances will always have all of their private fields. However, the assignment of private methods to a class instance is not observable. In other words, it's true that all class instances will always have all of their private methods. This means esbuild can lower private methods into code where all methods share a single WeakSet, which is smaller, faster, and uses less memory. Other JavaScript processing tools such as the TypeScript compiler already make this optimization. Here's what this change looks like:

      // Original code
      class Foo {
      #x() { return this.#x() }
      #y() { return this.#y() }
      #z() { return this.#z() }
      }

      // Old output (--supported:class-private-method=false)
      var _x, x_fn, _y, y_fn, _z, z_fn;
      class Foo {
      constructor() {
      __privateAdd(this, _x);
      __privateAdd(this, _y);
      __privateAdd(this, _z);
      }
      }
      _x = new WeakSet();
      x_fn = function() {
      return __privateMethod(this, _x, x_fn).call(this);
      };
      _y = new WeakSet();
      y_fn = function() {
      return __privateMethod(this, _y, y_fn).call(this);
      };
      _z = new WeakSet();
      z_fn = function() {
      return __privateMethod(this, _z, z_fn).call(this);
      };

      // New output (--supported:class-private-method=false)
      var _Foo_instances, x_fn, y_fn, z_fn;
      class Foo {
      constructor() {
      __privateAdd(this, _Foo_instances);
      }
      }
      _Foo_instances = new WeakSet();
      x_fn = function() {
      return __privateMethod(this, _Foo_instances, x_fn).call(this);
      };
      y_fn = function() {
      return __privateMethod(this, _Foo_instances, y_fn).call(this);
      };
      z_fn = function() {
      return __privateMethod(this, _Foo_instances, z_fn).call(this);
      };

    • Fix an obscure bug with lowering class members with computed property keys

      When class members that use newer syntax features are transformed for older target environments, they sometimes need to be relocated. However, care must be taken to not reorder any side effects caused by computed property keys. For example, the following code must evaluate a() then b() then c():

      class Foo {
        [a()]() {}
        [b()];
        static { c() }
      }

      Previously esbuild did this by shifting the computed property key forward to the next spot in the evaluation order. Classes evaluate all computed keys first and then all static class elements, so if the last computed key needs to be shifted, esbuild previously inserted a static block at start of the class body, ensuring it came before all other static class elements:

      var _a;
      class Foo {
        constructor() {
          __publicField(this, _a);
        }
        static {
          _a = b();
        }
        [a()]() {
        }
        static {
          c();
        }
      }

      However, this could cause esbuild to accidentally generate a syntax error if the computed property key contains code that isn't allowed in a static block, such as an await expression. With this release, esbuild fixes this problem by shifting the computed property key backward to the previous spot in the evaluation order instead, which may push it into the extends clause or even before the class itself:

      a() {
      }
      static {
      c();
      }
      }

      // New output (with --supported:class-field=false)
      var _a, _b;
      class Foo {
      constructor() {
      __publicField(this, _a);
      }
      (_b = a(), _a = await b(), _b) {
      }
      static {
      c();
      }
      }">

      // Original code
      class Foo {
      [a()]() {}
      [await b()];
      static { c() }
      }

      // Old output (with --supported:class-field=false)
      var _a;
      class Foo {
      constructor() {
      __publicField(this, _a);
      }
      static {
      _a = await b();
      }
      [a()]() {
      }
      static {
      c();
      }
      }

      // New output (with --supported:class-field=false)
      var _a, _b;
      class Foo {
      constructor() {
      __publicField(this, _a);
      }
      [(_b = a(), _a = await b(), _b)]() {
      }
      static {
      c();
      }
      }

    • Fix some --keep-names edge cases

      The NamedEvaluation syntax-directed operation in the JavaScript specification gives certain anonymous expressions a name property depending on where they are in the syntax tree. For example, the following initializers convey a name value:

      var foo = function() {}
      var bar = class {}
      console.log(foo.name, bar.name)

      When you enable esbuild's --keep-names setting, esbuild generates additional code to represent this NamedEvaluation operation so that the value of the name property persists even when the identifiers are renamed (e.g. due to minification).

      However, I recently learned that esbuild's implementation of NamedEvaluation is missing a few cases. Specifically esbuild was missing property definitions, class initializers, logical-assignment operators. These cases should now all be handled:

      var obj = { foo: function() {} }
      class Foo0 { foo = function() {} }
      class Foo1 { static foo = function() {} }
      class Foo2 { accessor foo = function() {} }
      class Foo3 { static accessor foo = function() {} }
      foo ||= function() {}
      foo &&= function() {}
      foo ??= function() {}
  • 0.20.2 - 2024-03-14
    • Support TypeScript experimental decorators on abstract class fields (#3684)

      With this release, you can now use TypeScript experimental decorators on abstract class fields. This was silently compiled incorrectly in esbuild 0.19.7 and below, and was an error from esbuild 0.19.8 to esbuild 0.20.1. Code such as the following should now work correctly:

      // Original code
      const log = (x: any, y: string) => console.log(y)
      abstract class Foo { @log abstract foo: string }
      new class extends Foo { foo = '' }

      // Old output (with --loader=ts --tsconfig-raw={"compilerOptions":{"experimentalDecorators":true}})
      const log = (x, y) => console.log(y);
      class Foo {
      }
      new class extends Foo {
      foo = "";
      }();

      // New output (with --loader=ts --tsconfig-raw={"compilerOptions":{"experimentalDecorators":true}})
      const log = (x, y) => console.log(y);
      class Foo {
      }
      __decorateClass([
      log
      ], Foo.prototype, "foo", 2);
      new class extends Foo {
      foo = "";
      }();

    • JSON loader now preserves __proto__ properties (#3700)

      Copying JSON source code into a JavaScript file will change its meaning if a JSON object contains the __proto__ key. A literal __proto__ property in a JavaScript object literal sets the prototype of the object instead of adding a property named __proto__, while a literal __proto__ property in a JSON object literal just adds a property named __proto__. With this release, esbuild will now work around this problem by converting JSON to JavaScript with a computed property key in this case:

      // Original code
      import data from 'data:application/json,{"proto":{"fail":true}}'
      if (Object.getPrototypeOf(data)?.fail) throw 'fail'

      // Old output (with --bundle)
      (() => {
      // <data:application/json,{"proto":{"fail":true}}>
      var json_proto_fail_true_default = { proto: { fail: true } };

      // entry.js
      if (Object.getPrototypeOf(json_proto_fail_true_default)?.fail)
      throw "fail";
      })();

      // New output (with --bundle)
      (() => {
      // <data:application/json,{"proto":{"fail":true}}>
      var json_proto_fail_true_default = { ["proto"]: { fail: true } };

      // example.mjs
      if (Object.getPrototypeOf(json_proto_fail_true_default)?.fail)
      throw "fail";
      })();

    • Improve dead code removal of switch statements (#3659)

      With this release, esbuild will now remove switch statements in branches when minifying if they are known to never be evaluated:

      // Original code
      if (true) foo(); else switch (bar) { case 1: baz(); break }

      // Old output (with --minify)
      if(1)foo();else switch(bar){case 1:}

      // New output (with --minify)
      foo();

    • Empty enums should behave like an object literal (#3657)

      TypeScript allows you to create an empty enum and add properties to it at run time. While people usually use an empty object literal for this instead of a TypeScript enum, esbuild's enum transform didn't anticipate this use case and generated undefined instead of {} for an empty enum. With this release, you can now use an empty enum to generate an empty object literal.

      // Original code
      enum Foo {}

      // Old output (with --loader=ts)
      var Foo = /* @ PURE */ ((Foo2) => {
      })(Foo || {});

      // New output (with --loader=ts)
      var Foo = /* @ PURE */ ((Foo2) => {
      return Foo2;
      })(Foo || {});

    • Handle Yarn Plug'n'Play edge case with tsconfig.json (#3698)

      Previously a tsconfig.json file that extends another file in a package with an exports map failed to work when Yarn's Plug'n'Play resolution was active. This edge case should work now starting with this release.

    • Work around issues with Deno 1.31+ (#3682)

      Version 0.20.0 of esbuild changed how the esbuild child process is run in esbuild's API for Deno. Previously it used Deno.run but that API is being removed in favor of Deno.Command. As part of this change, esbuild is now calling the new unref function on esbuild's long-lived child process, which is supposed to allow Deno to exit when your code has finished running even though the child process is still around (previously you had to explicitly call esbuild's stop() function to terminate the child process for Deno to be able to exit).

      However, this introduced a problem for Deno's testing API which now fails some tests that use esbuild with error: Promise resolution is still pending but the event loop has already resolved. It's unclear to me why this is happening. The call to unref was recommended by someone on the Deno core team, and calling Node's equivalent unref API has been working fine for esbuild in Node for a long time. It could be that I'm using it incorrectly, or that there's some reference counting and/or garbage collection bug in Deno's internals, or that Deno's unref just works differently than Node's unref. In any case, it's not good for Deno tests that use esbuild to be failing.

      In this release, I am removing the call to unref to fix this issue. This means that you will now have to call esbuild's stop() function to allow Deno to exit, just like you did before esbuild version 0.20.0 when this regression was introduced.

      Note: This regression wasn't caught earlier because Deno doesn't seem to fail tests that have outstanding setTimeout calls, which esbuild's test harness was using to enforce a maximum test runtime. Adding a setTimeout was allowing esbuild's Deno tests to succeed. So this regression doesn't necessarily apply to all people using tests in Deno.

  • 0.20.1 - 2024-02-19
    • Fix a bug with the CSS nesting transform (#3648)

      This release fixes a bug with the CSS nesting transform for older browsers where the generated CSS could be incorrect if a selector list contained a pseudo element followed by another selector. The bug was caused by incorrectly mutating the parent rule's selector list when filtering out pseudo elements for the child rules:

      / Original code */
      .foo {
      &:after,
      & .bar {
      color: red;
      }
      }

      /* Old output (with --supported:nesting=false) */
      .foo .bar,
      .foo .bar {
      color: red;
      }

      /* New output (with --supported:nesting=false) */
      .foo:after,
      .foo .bar {
      color: red;
      }

    • Constant folding for JavaScript inequality operators (#3645)

      This release introduces constant folding for the < > <= >= operators. The minifier will now replace these operators with true or false when both sides are compile-time numeric or string constants:

      // Original code
      console.log(1 < 2, '🍕' > '🧀')

      // Old output (with --minify)
      console.log(1<2,"🍕">"🧀");

      // New output (with --minify)
      console.log(!0,!1);

    • Better handling of __proto__ edge cases (#3651)

      JavaScript object literal syntax contains a special case where a non-computed property with a key of __proto__ sets the prototype of the object. This does not apply to computed properties or to properties that use the shorthand property syntax introduced in ES6. Previously esbuild didn't correctly preserve the "sets the prototype" status of properties inside an object literal, meaning a property that sets the prototype could accidentally be transformed into one that doesn't and vice versa. This has now been fixed:

      // Original code
      function foo(proto) {
      return { proto: proto } // Note: sets the prototype
      }
      function bar(proto, proto) {
      {
      let proto = proto
      return { proto } // Note: doesn't set the prototype
      }
      }

      // Old output
      function foo(proto) {
      return { proto }; // Note: no longer sets the prototype (WRONG)
      }
      function bar(proto, proto) {
      {
      let __proto__2 = proto;
      return { proto: __proto__2 }; // Note: now sets the prototype (WRONG)
      }
      }

      // New output
      function foo(proto) {
      return { proto: proto }; // Note: sets the prototype (correct)
      }
      function bar(proto, proto) {
      {
      let __proto__2 = proto;
      return { ["proto"]: __proto__2 }; // Note: doesn't set the prototype (correct)
      }
      }

    • Fix cross-platform non-determinism with CSS color space transformations (#3650)

      The Go compiler takes advantage of "fused multiply and add" (FMA) instructions on certain processors which do the operation x*y + z without intermediate rounding. This causes esbuild's CSS color space math to differ on different processors (currently ppc64le and s390x), which breaks esbuild's guarantee of deterministic output. To avoid this, esbuild's color space math now inserts a float64() cast around every single math operation. This tells the Go compiler not to use the FMA optimization.

    • Fix a crash when resolving a path from a directory that doesn't exist (#3634)

      This release fixes a regression where esbuild could crash when resolving an absolute path if the source directory for the path resolution operation doesn't exist. While this situation doesn't normally come up, it could come up when running esbuild concurrently with another operation that mutates the file system as esbuild is doing a build (such as using git to switch branches). The underlying problem was a regression that was introduced in version 0.18.0.

  • 0.20.0 - 2024-01-27

    This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.19.0 or ~0.19.0. See npm's documentation about semver for more inform...

Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.21.1.

See this package in npm:
esbuild

See this project in Snyk:
https://app.snyk.io/org/lunar-gg/project/1b4fb9b6-054d-41b6-b2f6-4009b602faa6?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants