[Snyk] Upgrade esbuild from 0.18.13 to 0.19.8 #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.19.8.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: esbuild
Add a treemap chart to esbuild's bundle analyzer (#2848)
The bundler analyzer on esbuild's website (https://esbuild.github.io/analyze/) now has a treemap chart type in addition to the two existing chart types (sunburst and flame). This should be more familiar for people coming from other similar tools, as well as make better use of large screens.
Allow decorators after the
export
keyword (#104)Previously esbuild's decorator parser followed the original behavior of TypeScript's experimental decorators feature, which only allowed decorators to come before the
export
keyword. However, the upcoming JavaScript decorators feature also allows decorators to come after theexport
keyword. And with TypeScript 5.0, TypeScript now also allows experimental decorators to come after theexport
keyword too. So esbuild now allows this as well:@decorator export class Foo {}
@decorator export default class Foo {}
// This new syntax is now permitted too:
export @decorator class Foo {}
export default @decorator class Foo {}
In addition, esbuild's decorator parser has been rewritten to fix several subtle and likely unimportant edge cases with esbuild's parsing of exports and decorators in TypeScript (e.g. TypeScript apparently does automatic semicolon insertion after
interface
andexport interface
but not afterexport default interface
).Pretty-print decorators using the same whitespace as the original
When printing code containing decorators, esbuild will now try to respect whether the original code contained newlines after the decorator or not. This can make generated code containing many decorators much more compact to read:
class Foo {
@a @b @c abc
@x @y @z xyz
}
// Old output
class Foo {
@a
@b
@c
abc;
@x
@y
@z
xyz;
}
// New output
class Foo {
@a @b @c abc;
@x @y @z xyz;
}
Add support for bundling code that uses import attributes (#3384)
JavaScript is gaining new syntax for associating a map of string key-value pairs with individual ESM imports. The proposal is still a work in progress and is still undergoing significant changes before being finalized. However, the first iteration has already been shipping in Chromium-based browsers for a while, and the second iteration has landed in V8 and is now shipping in node, so it makes sense for esbuild to support it. Here are the two major iterations of this proposal (so far):
Import assertions (deprecated, will not be standardized)
assert
keywordImport attributes (currently set to become standardized)
with
keywordYou can already use esbuild to bundle code that uses import assertions (the first iteration). However, this feature is mostly useless for bundlers because import assertions are not allowed to affect module resolution. It's basically only useful as an annotation on external imports, which esbuild will then preserve in the output for use in a browser (which would otherwise refuse to load certain imports).
With this release, esbuild now supports bundling code that uses import attributes (the second iteration). This is much more useful for bundlers because they are allowed to affect module resolution, which means the key-value pairs can be provided to plugins. Here's an example, which uses esbuild's built-in support for the upcoming JSON module standard:
import foo from './package.json' with { type: 'json' }
console.log(foo)
// On dynamic imports
const bar = await import('./package.json', { with: { type: 'json' } })
console.log(bar)
One important consequence of the change in semantics between import assertions and import attributes is that two imports with identical paths but different import attributes are now considered to be different modules. This is because the import attributes are provided to the loader, which might then use those attributes during loading. For example, you could imagine an image loader that produces an image of a different size depending on the import attributes.
Import attributes are now reported in the metafile and are now provided to on-load plugins as a map in the
with
property. For example, here's an esbuild plugin that turns all imports with atype
import attribute equal to'cheese'
into a module that exports the cheese emoji:name: 'cheese',
setup(build) {
build.onLoad({ filter: /.*/ }, args => {
if (args.with.type === 'cheese') return {
contents:
export default "🧀"
,}
})
}
}
require('esbuild').build({
bundle: true,
write: false,
stdin: {
contents:
</span> <span class="pl-s"> import foo from 'data:text/javascript,' with { type: 'cheese' }</span> <span class="pl-s"> console.log(foo)</span> <span class="pl-s">
,},
plugins: [cheesePlugin],
}).then(result => {
const code = new Function(result.outputFiles[0].text)
code()
})
Warning: It's possible that the second iteration of this feature may change significantly again even though it's already shipping in real JavaScript VMs (since it has already happened once before). In that case, esbuild may end up adjusting its implementation to match the eventual standard behavior. So keep in mind that by using this, you are using an unstable upcoming JavaScript feature that may undergo breaking changes in the future.
Adjust TypeScript experimental decorator behavior (#3230, #3326, #3394)
With this release, esbuild will now allow TypeScript experimental decorators to access both static class properties and
#private
class names. For example:<T,>(a: T, b: T): PropertyDecorator =>
() => console.log(a === b)
async function test() {
class Foo {
static #foo = 1
static bar = 1 + Foo.#foo
@check(Foo.#foo, 1) a: any
@check(Foo.bar, await Promise.resolve(2)) b: any
}
}
test().then(() => console.log('pass'))
This will now print
true true pass
when compiled by esbuild. Previously esbuild evaluated TypeScript decorators outside of the class body, so it didn't allow decorators to accessFoo
or#foo
. Now esbuild does something different, although it's hard to concisely explain exactly what esbuild is doing now (see the background section below for more information).Note that TypeScript's experimental decorator support is currently buggy: TypeScript's compiler passes this test if only the first
@ check
is present or if only the second@ check
is present, but TypeScript's compiler fails this test if both checks are present together. I haven't changed esbuild to match TypeScript's behavior exactly here because I'm waiting for TypeScript to fix these bugs instead.Some background: TypeScript experimental decorators don't have consistent semantics regarding the context that the decorators are evaluated in. For example, TypeScript will let you use
await
within a decorator, which implies that the decorator runs outside the class body (sinceawait
isn't supported inside a class body), but TypeScript will also let you use#private
names, which implies that the decorator runs inside the class body (since#private
names are only supported inside a class body). The value ofthis
in a decorator is also buggy (the run-time value ofthis
changes if any decorator in the class uses a#private
name but the type ofthis
doesn't change, leading to the type checker no longer matching reality). These inconsistent semantics make it hard for esbuild to implement this feature as decorator evaluation happens in some superposition of both inside and outside the class body that is particular to the internal implementation details of the TypeScript compiler.Forbid
--keep-names
when targeting old browsers (#3477)The
--keep-names
setting needs to be able to assign to thename
property on functions and classes. However, before ES6 this property was non-configurable, and attempting to assign to it would throw an error. So with this release, esbuild will no longer allow you to enable this setting while also targeting a really old browser.Read more
Read more
Read more
Read more
Read more
Read more
Read more
Support advanced CSS
@ import
rules (#953, #3137)CSS
@ import
statements have been extended to allow additional trailing tokens after the import path. These tokens sort of make the imported file behave as if it were wrapped in a@ layer
,@ supports
, and/or@ media
rule. Here are some examples:You can read more about this advanced syntax here. With this release, esbuild will now bundle
@ import
rules with these trailing tokens and will wrap the imported files in the corresponding rules. Note that this now means a given imported file can potentially appear in multiple places in the bundle. However, esbuild will still only load it once (e.g. on-load plugins will only run once per file, not once per import).Commit messages
Package name: esbuild
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs