chore(deps): update typescript dependencies #429

renovate-bot · 2022-12-19T00:27:42Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/node (source)	`16.18.8` -> `16.18.11`
dompurify	`2.4.1` -> `2.4.2`
esbuild	`0.16.5` -> `0.16.14`
fastify (source)	`4.10.2` -> `4.11.0`

Release Notes

cure53/DOMPurify

`v2.4.2`: DOMPurify 2.4.2

Compare Source

Fixed a Trusted Types sink violation with empty input and NAMESPACE , thanks @tosmolka
Fixed a Prototype Pollution issue discovered and reported by @kevin-mizu

evanw/esbuild

`v0.16.14`

Compare Source

Preserve some comments in expressions (#2721)

Various tools give semantic meaning to comments embedded inside of expressions. For example, Webpack and Vite have special "magic comments" that can be used to affect code splitting behavior:
```
import(/* webpackChunkName: "foo" */ '../foo');
import(/* @&#8203;vite-ignore */ dynamicVar);
new Worker(/* webpackChunkName: "bar" */ new URL("../bar.ts", import.meta.url));
new Worker(new URL('./path', import.meta.url), /* @&#8203;vite-ignore */ dynamicOptions);
```
Since esbuild can be used as a preprocessor for these tools (e.g. to strip TypeScript types), it can be problematic if esbuild doesn't do additional work to try to retain these comments. Previously esbuild special-cased Webpack comments in these specific locations in the AST. But Vite would now like to use similar comments, and likely other tools as well.

So with this release, esbuild now will attempt to preserve some comments inside of expressions in more situations than before. This behavior is mainly intended to preserve these special "magic comments" that are meant for other tools to consume, although esbuild will no longer only preserve Webpack-specific comments so it should now be tool-agnostic. There is no guarantee that all such comments will be preserved (especially when --minify-syntax is enabled). So this change does not mean that esbuild is now usable as a code formatter. In particular comment preservation is more likely to happen with leading comments than with trailing comments. You should put comments that you want to be preserved before the relevant expression instead of after it. Also note that this change does not retain any more statement-level comments than before (i.e. comments not embedded inside of expressions). Comment preservation is not enabled when --minify-whitespace is enabled (which is automatically enabled when you use --minify).

`v0.16.13`

Compare Source

Publish a new bundle visualization tool

While esbuild provides bundle metadata via the --metafile flag, previously esbuild left analysis of it completely up to third-party tools (well, outside of the rudimentary --analyze flag). However, the esbuild website now has a built-in bundle visualization tool:
- https://esbuild.github.io/analyze/
You can pass --metafile to esbuild to output bundle metadata, then upload that JSON file to this tool to visualize your bundle. This is helpful for answering questions such as:
- Which packages are included in my bundle?
- How did a specific file get included?
- How small did a specific file compress to?
- Was a specific file tree-shaken or not?
I'm publishing this tool because I think esbuild should provide some answer to "how do I visualize my bundle" without requiring people to reach for third-party tools. At the moment the tool offers two types of visualizations: a radial "sunburst chart" and a linear "flame chart". They serve slightly different but overlapping use cases (e.g. the sunburst chart is more keyboard-accessible while the flame chart is easier with the mouse). This tool may continue to evolve over time.
Fix --metafile and --mangle-cache with --watch (#1357)

The CLI calls the Go API and then also writes out the metafile and/or mangle cache JSON files if those features are enabled. This extra step is necessary because these files are returned by the Go API as in-memory strings. However, this extra step accidentally didn't happen for all builds after the initial build when watch mode was enabled. This behavior used to work but it was broken in version 0.14.18 by the introduction of the mangle cache feature. This release fixes the combination of these features, so the metafile and mangle cache features should now work with watch mode. This behavior was only broken for the CLI, not for the JS or Go APIs.
Add an original field to the metafile

The metadata file JSON now has an additional field: each import in an input file now contains the pre-resolved path in the original field in addition to the post-resolved path in the path field. This means it's now possible to run certain additional analysis over your bundle. For example, you should be able to use this to detect when the same package subpath is represented multiple times in the bundle, either because multiple versions of a package were bundled or because a package is experiencing the dual-package hazard.

`v0.16.12`

Compare Source

Loader defaults to js for extensionless files (#2776)

Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:
- CLI:
```
esbuild --bundle --loader:=css
```
- JS:
```
esbuild.build({
  bundle: true,
  loader: { '': 'css' },
})
```
- Go:
```
api.Build(api.BuildOptions{
  Bundle: true,
  Loader: map[string]api.Loader{"": api.LoaderCSS},
})
```
In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

`v0.16.11`

Compare Source

Avoid a syntax error in the presence of direct eval (#2761)

The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:
```
// Original code
if (true) {
  function foo() {}
  console.log(!!foo)
  foo = null
  console.log(!!foo)
}
console.log(!!foo)

// Transformed code
if (true) {
  let foo2 = function() {
  };
  var foo = foo2;
  console.log(!!foo2);
  foo2 = null;
  console.log(!!foo2);
}
console.log(!!foo);
```
In the above example, the original code should print true false true because it's not run in strict mode (it doesn't contain "use strict" and is not an ES module). The code that esbuild generates has been transformed such that it prints true false true regardless of whether it's run in strict mode or not.

However, this transformation is impossible if the code contains direct eval because direct eval "poisons" all containing scopes by preventing anything in those scopes from being renamed. That prevents esbuild from splitting up accesses to foo into two separate variables with different names. Previously esbuild still did this transformation but with two variables both named foo, which is a syntax error. With this release esbuild will now skip doing this transformation when direct eval is present to avoid generating code with a syntax error. This means that the generated code may no longer behave as intended since the behavior depends on the run-time strict mode setting instead of the strict mode setting present in the original source code. To fix this problem, you will need to remove the use of direct eval.
Fix a bundling scenario involving multiple symlinks (#2773, #2774)

This release contains a fix for a bundling scenario involving an import path where multiple path segments are symlinks. Previously esbuild was unable to resolve certain import paths in this scenario, but these import paths should now work starting with this release. This fix was contributed by @onebytegone.

`v0.16.10`

Compare Source

Change the default "legal comment" behavior again (#2745)

The legal comments feature automatically gathers comments containing @license or @preserve and puts the comments somewhere (either in the generated code or in a separate file). This behavior used to be on by default but was disabled by default in version 0.16.0 because automatically inserting comments is potentially confusing and misleading. These comments can appear to be assigning the copyright of your code to another entity. And this behavior can be especially problematic if it happens automatically by default since you may not even be aware of it happening. For example, if you bundle the TypeScript compiler the preserving legal comments means your source code would contain this comment, which appears to be assigning the copyright of all of your code to Microsoft:

/*! *****************************************************************************
Copyright (c) Microsoft Corporation. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of the
License at http://www.apache.org/licenses/LICENSE-2.0

THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED
WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
MERCHANTABLITY OR NON-INFRINGEMENT.

See the Apache Version 2.0 License for specific language governing permissions
and limitations under the License.
***************************************************************************** */

However, people have asked for this feature to be re-enabled by default. To resolve the confusion about what these comments are applying to, esbuild's default behavior will now be to attempt to describe which package the comments are coming from. So while this feature has been re-enabled by default, the output will now look something like this instead:

/*! Bundled license information:

typescript/lib/typescript.js:
  (*! *****************************************************************************
  Copyright (c) Microsoft Corporation. All rights reserved.
  Licensed under the Apache License, Version 2.0 (the "License"); you may not use
  this file except in compliance with the License. You may obtain a copy of the
  License at http://www.apache.org/licenses/LICENSE-2.0

  THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED
  WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
  MERCHANTABLITY OR NON-INFRINGEMENT.

  See the Apache Version 2.0 License for specific language governing permissions
  and limitations under the License.
  ***************************************************************************** *)
*/

Note that you can still customize this behavior with the --legal-comments= flag. For example, you can use --legal-comments=none to turn this off, or you can use --legal-comments=linked to put these comments in a separate .LEGAL.txt file instead.

Enable external legal comments with the transform API (#2390)

Previously esbuild's transform API only supported none, inline, or eof legal comments. With this release, external legal comments are now also supported with the transform API. This only applies to the JS and Go APIs, not to the CLI, and looks like this:
- JS:
```
const { code, legalComments } = await esbuild.transform(input, {
  legalComments: 'external',
})
```
- Go:
```
result := api.Transform(input, api.TransformOptions{
  LegalComments: api.LegalCommentsEndOfFile,
})
code := result.Code
legalComments := result.LegalComments
```
Fix duplicate function declaration edge cases (#2757)

The change in the previous release to forbid duplicate function declarations in certain cases accidentally forbid some edge cases that should have been allowed. Specifically duplicate function declarations are forbidden in nested blocks in strict mode and at the top level of modules, but are allowed when they are declared at the top level of function bodies. This release fixes the regression by re-allowing the last case.
Allow package subpaths with alias (#2715)

Previously the names passed to the alias feature had to be the name of a package (with or without a package scope). With this release, you can now also use the alias feature with package subpaths. So for example you can now create an alias that substitutes @org/pkg/lib with something else.

`v0.16.9`

Compare Source

Update to Unicode 15.0.0

The character tables that determine which characters form valid JavaScript identifiers have been updated from Unicode version 14.0.0 to the newly-released Unicode version 15.0.0. I'm not putting an example in the release notes because all of the new characters will likely just show up as little squares since fonts haven't been updated yet. But you can read https://www.unicode.org/versions/Unicode15.0.0/#Summary for more information about the changes.
Disallow duplicate lexically-declared names in nested blocks and in strict mode

In strict mode or in a nested block, it's supposed to be a syntax error to declare two symbols with the same name unless all duplicate entries are either function declarations or all var declarations. However, esbuild was overly permissive and allowed this when duplicate entries were either function declarations or var declarations (even if they were mixed). This check has now been made more restrictive to match the JavaScript specification:
```
// JavaScript allows this
var a
function a() {}
{
  var b
  var b
  function c() {}
  function c() {}
}

// JavaScript doesn't allow this
{
  var d
  function d() {}
}
```
Add a type declaration for the new empty loader (#2755)

I forgot to add this in the previous release. It has now been added.

This fix was contributed by @fz6m.
Add support for the v flag in regular expression literals

People are currently working on adding a v flag to JavaScript regular expresions. You can read more about this flag here: https://v8.dev/features/regexp-v-flag. This release adds support for parsing this flag, so esbuild will now no longer consider regular expression literals with this flag to be a syntax error. If the target is set to something other than esnext, esbuild will transform regular expression literals containing this flag into a new RegExp() constructor call so the resulting code doesn't have a syntax error. This enables you to provide a polyfill for RegExp that implements the v flag to get your code to work at run-time. While esbuild doesn't typically adopt proposals until they're already shipping in a real JavaScript run-time, I'm adding it now because a) esbuild's implementation doesn't need to change as the proposal evolves, b) this isn't really new syntax since regular expression literals already have flags, and c) esbuild's implementation is a trivial pass-through anyway.
Avoid keeping the name of classes with static name properties

The --keep-names property attempts to preserve the original value of the name property for functions and classes even when identifiers are renamed by the minifier or to avoid a name collision. This is currently done by generating code to assign a string to the name property on the function or class object. However, this should not be done for classes with a static name property since in that case the explicitly-defined name property overwrites the automatically-generated class name. With this release, esbuild will now no longer attempt to preserve the name property for classes with a static name property.

`v0.16.8`

Compare Source

Allow plugins to resolve injected files (#2754)

Previously paths passed to the inject feature were always interpreted as file system paths. This meant that onResolve plugins would not be run for them and esbuild's default path resolver would always be used. This meant that the inject feature couldn't be used in the browser since the browser doesn't have access to a file system. This release runs paths passed to inject through esbuild's full path resolution pipeline so plugins now have a chance to handle them using onResolve callbacks. This makes it possible to write a plugin that makes esbuild's inject work in the browser.
Add the empty loader (#1541, #2753)

The new empty loader tells esbuild to pretend that a file is empty. So for example --loader:.css=empty effectively skips all imports of .css files in JavaScript so that they aren't included in the bundle, since import "./some-empty-file" in JavaScript doesn't bundle anything. You can also use the empty loader to remove asset references in CSS files. For example --loader:.png=empty causes esbuild to replace asset references such as url(image.png) with url() so that they are no longer included in the resulting style sheet.
Fix </script> and </style> escaping for non-default targets (#2748)

The change in version 0.16.0 to give control over </script> escaping via --supported:inline-script=false or --supported:inline-script=true accidentally broke automatic escaping of </script> when an explicit target setting is specified. This release restores the correct automatic escaping of </script> (which should not depend on what target is set to).
Enable the exports field with NODE_PATHS (#2752)

Node has a rarely-used feature where you can extend the set of directories that node searches for packages using the NODE_PATHS environment variable. While esbuild supports this too, previously it only supported the old main field path resolution but did not support the new exports field package resolution. This release makes the path resolution rules the same again for both node_modules directories and NODE_PATHS directories.

`v0.16.7`

Compare Source

Include file loader strings in metafile imports (#2731)

Bundling a file with the file loader copies that file to the output directory and imports a module with the path to the copied file in the default export. Previously when bundling with the file loader, there was no reference in the metafile from the JavaScript file containing the path string to the copied file. With this release, there will now be a reference in the metafile in the imports array with the kind file-loader:
```
 {
   ...
   "outputs": {
     "out/image-55CCFTCE.svg": {
       ...
     },
     "out/entry.js": {
       "imports": [
+        {
+          "path": "out/image-55CCFTCE.svg",
+          "kind": "file-loader"
+        }
       ],
       ...
     }
   }
 }
```
Fix byte counts in metafile regarding references to other output files (#2071)

Previously files that contained references to other output files had slightly incorrect metadata for the byte counts of input files which contributed to that output file. So for example if app.js imports image.png using the file loader and esbuild generates out.js and image-LSAMBFUD.png, the metadata for how many bytes of out.js are from app.js was slightly off (the metadata for the byte count of out.js was still correct). The reason is because esbuild substitutes the final paths for references between output files toward the end of the build to handle cyclic references, and the byte counts needed to be adjusted as well during the path substitution. This release fixes these byte counts (specifically the bytesInOutput values).
The alias feature now strips a trailing slash (#2730)

People sometimes add a trailing slash to the name of one of node's built-in modules to force node to import from the file system instead of importing the built-in module. For example, importing util imports node's built-in module called util but importing util/ tries to find a package called util on the file system. Previously attempting to use esbuild's package alias feature to replace imports to util with a specific file would fail because the file path would also gain a trailing slash (e.g. mapping util to ./file.js turned util/ into ./file.js/). With this release, esbuild will now omit the path suffix if it's a single trailing slash, which should now allow you to successfully apply aliases to these import paths.

`v0.16.6`

Compare Source

Do not mark subpath imports as external with --packages=external (#2741)

Node has a feature called subpath imports where special import paths that start with # are resolved using the imports field in the package.json file of the enclosing package. The intent of the newly-added --packages=external setting is to exclude a package's dependencies from the bundle. Since a package's subpath imports are only accessible within that package, it's wrong for them to be affected by --packages=external. This release changes esbuild so that --packages=external no longer affects subpath imports.
Forbid invalid numbers in JSON files

Previously esbuild parsed numbers in JSON files using the same syntax as JavaScript. But starting from this release, esbuild will now parse them with JSON syntax instead. This means the following numbers are no longer allowed by esbuild in JSON files:
- Legacy octal literals (non-zero integers starting with 0)
- The 0b, 0o, and 0x numeric prefixes
- Numbers containing _ such as 1_000
- Leading and trailing . such as 0. and .0
- Numbers with a space after the - such as - 1

Add external imports to metafile (#905, #1768, #1933, #1939)

External imports now appear in imports arrays in the metafile (which is present when bundling with metafile: true) next to normal imports, but additionally have external: true to set them apart. This applies both to files in the inputs section and the outputs section. Here's an example:

 {
   "inputs": {
     "style.css": {
       "bytes": 83,
       "imports": [
+        {
+          "path": "https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css",
+          "kind": "import-rule",
+          "external": true
+        }
       ]
     },
     "app.js": {
       "bytes": 100,
       "imports": [
+        {
+          "path": "https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js",
+          "kind": "import-statement",
+          "external": true
+        },
         {
           "path": "style.css",
           "kind": "import-statement"
         }
       ]
     }
   },
   "outputs": {
     "out/app.js": {
       "imports": [
+        {
+          "path": "https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js",
+          "kind": "require-call",
+          "external": true
+        }
       ],
       "exports": [],
       "entryPoint": "app.js",
       "cssBundle": "out/app.css",
       "inputs": {
         "app.js": {
           "bytesInOutput": 113
         },
         "style.css": {
           "bytesInOutput": 0
         }
       },
       "bytes": 528
     },
     "out/app.css": {
       "imports": [
+        {
+          "path": "https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css",
+          "kind": "import-rule",
+          "external": true
+        }
       ],
       "inputs": {
         "style.css": {
           "bytesInOutput": 0
         }
       },
       "bytes": 100
     }
   }
 }

One additional useful consequence of this is that the imports array is now populated when bundling is disabled. So you can now use esbuild with bundling disabled to inspect a file's imports.

fastify/fastify

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate-bot force-pushed the renovate/typescript-dependencies branch 2 times, most recently from b97d0e6 to 1d78b8e Compare December 26, 2022 18:12

renovate-bot force-pushed the renovate/typescript-dependencies branch 3 times, most recently from 4622987 to 14a3483 Compare January 1, 2023 22:40

renovate-bot changed the title ~~Update TypeScript dependencies~~ chore(deps): update typescript dependencies Jan 2, 2023

renovate-bot changed the title ~~chore(deps): update typescript dependencies~~ Update TypeScript dependencies Jan 2, 2023

renovate-bot changed the title ~~Update TypeScript dependencies~~ chore(deps): update typescript dependencies Jan 2, 2023

renovate-bot force-pushed the renovate/typescript-dependencies branch 2 times, most recently from 1c3c2d0 to 957f837 Compare January 4, 2023 20:22

chore(deps): update typescript dependencies

337ebff

renovate-bot force-pushed the renovate/typescript-dependencies branch from 957f837 to 337ebff Compare January 5, 2023 17:02

antiphoton approved these changes Jan 6, 2023

View reviewed changes

antiphoton merged commit 06d3158 into google:main Jan 6, 2023

renovate-bot deleted the renovate/typescript-dependencies branch January 6, 2023 01:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update typescript dependencies #429

chore(deps): update typescript dependencies #429

renovate-bot commented Dec 19, 2022 •

edited

Loading

chore(deps): update typescript dependencies #429

chore(deps): update typescript dependencies #429

Conversation

renovate-bot commented Dec 19, 2022 • edited Loading

Release Notes

v2.4.2: DOMPurify 2.4.2

What's Changed

New Contributors

Configuration

renovate-bot commented Dec 19, 2022 •

edited

Loading

`v2.4.2`: DOMPurify 2.4.2