Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade esbuild from 0.18.13 to 0.19.10 #5

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

fishylunar
Copy link
Owner

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.19.10.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 18 versions ahead of your current version.
  • The recommended version was released 22 days ago, on 2023-12-19.
Release notes
Package name: esbuild
  • 0.19.10 - 2023-12-19
    • Fix glob imports in TypeScript files (#3319)

      This release fixes a problem where bundling a TypeScript file containing a glob import could emit a call to a helper function that doesn't exist. The problem happened because esbuild's TypeScript transformation removes unused imports (which is required for correctness, as they may be type-only imports) and esbuild's glob import transformation wasn't correctly marking the imported helper function as used. This wasn't caught earlier because most of esbuild's glob import tests were written in JavaScript, not in TypeScript.

    • Fix require() glob imports with bundling disabled (#3546)

      Previously require() calls containing glob imports were incorrectly transformed when bundling was disabled. All glob imports should only be transformed when bundling is enabled. This bug has been fixed.

    • Fix a panic when transforming optional chaining with define (#3551, #3554)

      This release fixes a case where esbuild could crash with a panic, which was triggered by using define to replace an expression containing an optional chain. Here is an example:

      // Original code
      console.log(process?.env.SHELL)

      // Old output (with --define:process.env={})
      /* panic: Internal error (while parsing "<stdin>") */

      // New output (with --define:process.env={})
      var define_process_env_default = {};
      console.log(define_process_env_default.SHELL);

      This fix was contributed by @ hi-ogawa.

    • Work around a bug in node's CommonJS export name detector (#3544)

      The export names of a CommonJS module are dynamically-determined at run time because CommonJS exports are properties on a mutable object. But the export names of an ES module are statically-determined at module instantiation time by using import and export syntax and cannot be changed at run time.

      When you import a CommonJS module into an ES module in node, node scans over the source code to attempt to detect the set of export names that the CommonJS module will end up using. That statically-determined set of names is used as the set of names that the ES module is allowed to import at module instantiation time. However, this scan appears to have bugs (or at least, can cause false positives) because it doesn't appear to do any scope analysis. Node will incorrectly consider the module to export something even if the assignment is done to a local variable instead of to the module-level exports object. For example:

      // confuseNode.js
      exports.confuseNode = function(exports) {
        // If this local is called "exports", node incorrectly
        // thinks this file has an export called "notAnExport".
        exports.notAnExport = function() {
        };
      };

      You can see that node incorrectly thinks the file confuseNode.js has an export called notAnExport when that file is loaded in an ES module context:

      $ node -e 'import("./confuseNode.js").then(console.log)'
      [Module: null prototype] {
        confuseNode: [Function (anonymous)],
        default: { confuseNode: [Function (anonymous)] },
        notAnExport: undefined
      }

      To avoid this, esbuild will now rename local variables that use the names exports and module when generating CommonJS output for the node platform.

    • Fix the return value of esbuild's super() shim (#3538)

      Some people write constructor methods that use the return value of super() instead of using this. This isn't too common because TypeScript doesn't let you do that but it can come up when writing JavaScript. Previously esbuild's class lowering transform incorrectly transformed the return value of super() into undefined. With this release, the return value of super() will now be this instead:

      // Original code
      class Foo extends Object {
      field
      constructor() {
      console.log(typeof super())
      }
      }
      new Foo

      // Old output (with --target=es6)
      class Foo extends Object {
      constructor() {
      var __super = (...args) => {
      super(...args);
      __publicField(this, "field");
      };
      console.log(typeof __super());
      }
      }
      new Foo();

      // New output (with --target=es6)
      class Foo extends Object {
      constructor() {
      var __super = (...args) => {
      super(...args);
      __publicField(this, "field");
      return this;
      };
      console.log(typeof __super());
      }
      }
      new Foo();

    • Terminate the Go GC when esbuild's stop() API is called (#3552)

      If you use esbuild with WebAssembly and pass the worker: false flag to esbuild.initialize(), then esbuild will run the WebAssembly module on the main thread. If you do this within a Deno test and that test calls esbuild.stop() to clean up esbuild's resources, Deno may complain that a setTimeout() call lasted past the end of the test. This happens when the Go is in the middle of a garbage collection pass and has scheduled additional ongoing garbage collection work. Normally calling esbuild.stop() will terminate the web worker that the WebAssembly module runs in, which will terminate the Go GC, but that doesn't happen if you disable the web worker with worker: false.

      With this release, esbuild will now attempt to terminate the Go GC in this edge case by calling clearTimeout() on these pending timeouts.

    • Apply /* @ __NO_SIDE_EFFECTS__ */ on tagged template literals (#3511)

      Tagged template literals that reference functions annotated with a @ __NO_SIDE_EFFECTS__ comment are now able to be removed via tree-shaking if the result is unused. This is a convention from Rollup. Here is an example:

      // Original code
      const html = / @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b })
      html<span class="pl-kos">&lt;</span><span class="pl-ent">a</span><span class="pl-kos">&gt;</span>remove<span class="pl-kos">&lt;/</span><span class="pl-ent">a</span><span class="pl-kos">&gt;</span>
      x = html<span class="pl-kos">&lt;</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>keep<span class="pl-kos">&lt;/</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>

      // Old output (with --tree-shaking=true)
      const html = /* @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b });
      html<span class="pl-kos">&lt;</span><span class="pl-ent">a</span><span class="pl-kos">&gt;</span>remove<span class="pl-kos">&lt;/</span><span class="pl-ent">a</span><span class="pl-kos">&gt;</span>;
      x = html<span class="pl-kos">&lt;</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>keep<span class="pl-kos">&lt;/</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>;

      // New output (with --tree-shaking=true)
      const html = /* @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b });
      x = html<span class="pl-kos">&lt;</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>keep<span class="pl-kos">&lt;/</span><span class="pl-ent">b</span><span class="pl-kos">&gt;</span>;

      Note that this feature currently only works within a single file, so it's not especially useful. This feature does not yet work across separate files. I still recommend using @ __PURE__ annotations instead of this feature, as they have wider tooling support. The drawback of course is that @ __PURE__ annotations need to be added at each call site, not at the declaration, and for non-call expressions such as template literals you need to wrap the expression in an IIFE (immediately-invoked function expression) to create a call expression to apply the @ __PURE__ annotation to.

    • Publish builds for IBM AIX PowerPC 64-bit (#3549)

      This release publishes a binary executable to npm for IBM AIX PowerPC 64-bit, which means that in theory esbuild can now be installed in that environment with npm install esbuild. This hasn't actually been tested yet. If you have access to such a system, it would be helpful to confirm whether or not doing this actually works.

  • 0.19.9 - 2023-12-10
    Read more
  • 0.19.8 - 2023-11-26
    • Add a treemap chart to esbuild's bundle analyzer (#2848)

      The bundler analyzer on esbuild's website (https://esbuild.github.io/analyze/) now has a treemap chart type in addition to the two existing chart types (sunburst and flame). This should be more familiar for people coming from other similar tools, as well as make better use of large screens.

    • Allow decorators after the export keyword (#104)

      Previously esbuild's decorator parser followed the original behavior of TypeScript's experimental decorators feature, which only allowed decorators to come before the export keyword. However, the upcoming JavaScript decorators feature also allows decorators to come after the export keyword. And with TypeScript 5.0, TypeScript now also allows experimental decorators to come after the export keyword too. So esbuild now allows this as well:

      // This old syntax has always been permitted:
      @decorator export class Foo {}
      @decorator export default class Foo {}

      // This new syntax is now permitted too:
      export @decorator class Foo {}
      export default @decorator class Foo {}

      In addition, esbuild's decorator parser has been rewritten to fix several subtle and likely unimportant edge cases with esbuild's parsing of exports and decorators in TypeScript (e.g. TypeScript apparently does automatic semicolon insertion after interface and export interface but not after export default interface).

    • Pretty-print decorators using the same whitespace as the original

      When printing code containing decorators, esbuild will now try to respect whether the original code contained newlines after the decorator or not. This can make generated code containing many decorators much more compact to read:

      // Original code
      class Foo {
      @a @b @c abc
      @x @y @z xyz
      }

      // Old output
      class Foo {
      @a
      @b
      @c
      abc;
      @x
      @y
      @z
      xyz;
      }

      // New output
      class Foo {
      @a @b @c abc;
      @x @y @z xyz;
      }

  • 0.19.7 - 2023-11-21
    Read more
  • 0.19.6 - 2023-11-19
    Read more
  • 0.19.5 - 2023-10-17
    Read more
  • 0.19.4 - 2023-09-28
    Read more
  • 0.19.3 - 2023-09-14
    Read more
  • 0.19.2 - 2023-08-14
    Read more
  • 0.19.1 - 2023-08-11
    Read more
  • 0.19.0 - 2023-08-08
  • 0.18.20 - 2023-08-08
  • 0.18.19 - 2023-08-07
  • 0.18.18 - 2023-08-05
  • 0.18.17 - 2023-07-26
  • 0.18.16 - 2023-07-23
  • 0.18.15 - 2023-07-20
  • 0.18.14 - 2023-07-18
  • 0.18.13 - 2023-07-15
from esbuild GitHub release notes
Commit messages
Package name: esbuild
  • 55e1127 publish 0.19.10 to npm
  • d968af2 fix #3511: `@ __NO_SIDE_EFFECTS__` with templates
  • 00c4ebe fix #3546: don't transform `require` glob imports
  • e1b7050 fix #3319: missing symbol usage in glob transform
  • 461ca73 add the `@ esbuild/aix-ppc64` package for ibm aix (#3550)
  • 190ca99 truncate a long url in a comment
  • 6c41900 add Safari compat data for arbitrary module namespace names (#3520)
  • f38cbe6 fix #3552: calling `stop()` now clears go timeouts
  • 7a225ff make a few code edits from some random github bot
  • aa46b2c fix some build script comments
  • de99656 mention #3551 in the release notes
  • accfb14 fix: fix panic when optional chain partially replaced with defines (#3554)
  • b76b54f run `make update-compat-table`
  • 109449e fix #3544: hack around node cjs export name bugs
  • e088f66 fix #3543: update go 1.20.10 => 1.20.12
  • 566b295 fix #3538: `super()` return: `undefined` => `this`
  • ce4f100 css gradients: remove more implied positions
  • 9edc9d4 publish 0.19.9 to npm
  • 791619e release notes: link to gradient tests
  • 83b4171 css: implement lowering of gradient syntax
  • 4a3b265 css: fix `calc()` inlining whitespace bug
  • 90989ec remove a stray log statement
  • f260285 css gradients: handle color transition hints
  • e4c55af css gradients: lower colors, fix double positions

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Copy link

sonarcloud bot commented Jan 9, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants