Bump esbuild from 0.8.57 to 0.11.20

[dependabot-preview]

Bumps esbuild from 0.8.57 to 0.11.20.

Release notes

Sourced from esbuild's releases.

v0.11.20

• Omit warning about duplicate JSON keys from inside node_modules (#1254)

  This release no longer warns about duplicate keys inside package.json files inside node_modules. There are packages like this that are published to npm, and this warning is unactionable. Now esbuild will only issue this warning outside of node_modules directories.

• Add CSS minification for box-shadow values

  The CSS box-shadow property is now minified when --mangle-syntax is enabled. This includes trimming length values and minifying color representations.

• Fix object spread transform for non-spread getters (#1259)

  When transforming an object literal containing object spread (the ... syntax), properties inside the spread should be evaluated but properties outside the spread should not be evaluated. Previously esbuild's object spread transform incorrectly evaluated properties in both cases. Consider this example:

  var obj = {
    ...{ get x() { console.log(1) } },
    get y() { console.log(3) },
  }
  console.log(2)
  obj.y

  This should print out 1 2 3 because the non-spread getter should not be evaluated. Instead, esbuild was incorrectly transforming this into code that printed 1 3 2. This issue should now be fixed with this release.

• Prevent private class members from being added more than once

  This fixes a corner case with the private class member implementation. Constructors in JavaScript can return an object other than this, so private class members can actually be added to objects other than this. This can be abused to attach completely private metadata to other objects:

  class Base {
    constructor(x) {
      return x
    }
  }
  class Derived extends Base {
    #y
    static is(z) {
      return #y in z
    }
  }
  const foo = {}
  new Derived(foo)
  console.log(Derived.is(foo)) // true

  This already worked in code transformed by esbuild for older browsers. However, calling new Derived(foo) multiple times in the above code was incorrectly allowed. This should not be allowed because it would mean that the private field #y would be re-declared. This is no longer allowed starting from this release.

v0.11.19

• Allow esbuild to be restarted in Deno (#1238)

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.11.20

• Omit warning about duplicate JSON keys from inside node_modules (#1254)

  This release no longer warns about duplicate keys inside package.json files inside node_modules. There are packages like this that are published to npm, and this warning is unactionable. Now esbuild will only issue this warning outside of node_modules directories.

• Add CSS minification for box-shadow values

  The CSS box-shadow property is now minified when --mangle-syntax is enabled. This includes trimming length values and minifying color representations.

• Fix object spread transform for non-spread getters (#1259)

  When transforming an object literal containing object spread (the ... syntax), properties inside the spread should be evaluated but properties outside the spread should not be evaluated. Previously esbuild's object spread transform incorrectly evaluated properties in both cases. Consider this example:

  var obj = {
    ...{ get x() { console.log(1) } },
    get y() { console.log(3) },
  }
  console.log(2)
  obj.y

  This should print out 1 2 3 because the non-spread getter should not be evaluated. Instead, esbuild was incorrectly transforming this into code that printed 1 3 2. This issue should now be fixed with this release.

• Prevent private class members from being added more than once

  This fixes a corner case with the private class member implementation. Constructors in JavaScript can return an object other than this, so private class members can actually be added to objects other than this. This can be abused to attach completely private metadata to other objects:

  class Base {
    constructor(x) {
      return x
    }
  }
  class Derived extends Base {
    #y
    static is(z) {
      return #y in z
    }
  }
  const foo = {}
  new Derived(foo)
  console.log(Derived.is(foo)) // true

  This already worked in code transformed by esbuild for older browsers. However, calling new Derived(foo) multiple times in the above code was incorrectly allowed. This should not be allowed because it would mean that the private field #y would be re-declared. This is no longer allowed starting from this release.

0.11.19

... (truncated)

Commits

• 707f33c publish 0.11.20 to npm
• 2b0c26a fix "color: false" in the js api
• aaa0943 plugins: print errors thrown from onEnd callbacks
• 9c1f288 enforce that private members are declared once
• 87c6b66 fix #1259: getters in non-spread properties
• 7776513 css: minify "box-shadow"
• 8fccac3 fix #1254: duplicate key warning in node_modules
• 6f33433 more context for json duplicate key warning
• 4d9ece0 deno publish script: don't re-download repo
• 6fc097a publish 0.11.19 to npm
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #46.