[Snyk] Upgrade esbuild from 0.17.19 to 0.19.10 #70
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade esbuild from 0.17.19 to 0.19.10.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: esbuild
Fix glob imports in TypeScript files (#3319)
This release fixes a problem where bundling a TypeScript file containing a glob import could emit a call to a helper function that doesn't exist. The problem happened because esbuild's TypeScript transformation removes unused imports (which is required for correctness, as they may be type-only imports) and esbuild's glob import transformation wasn't correctly marking the imported helper function as used. This wasn't caught earlier because most of esbuild's glob import tests were written in JavaScript, not in TypeScript.
Fix
require()
glob imports with bundling disabled (#3546)Previously
require()
calls containing glob imports were incorrectly transformed when bundling was disabled. All glob imports should only be transformed when bundling is enabled. This bug has been fixed.Fix a panic when transforming optional chaining with
define
(#3551, #3554)This release fixes a case where esbuild could crash with a panic, which was triggered by using
define
to replace an expression containing an optional chain. Here is an example:console.log(process?.env.SHELL)
// Old output (with --define:process.env={})
/* panic: Internal error (while parsing "<stdin>") */
// New output (with --define:process.env={})
var define_process_env_default = {};
console.log(define_process_env_default.SHELL);
This fix was contributed by @ hi-ogawa.
Work around a bug in node's CommonJS export name detector (#3544)
The export names of a CommonJS module are dynamically-determined at run time because CommonJS exports are properties on a mutable object. But the export names of an ES module are statically-determined at module instantiation time by using
import
andexport
syntax and cannot be changed at run time.When you import a CommonJS module into an ES module in node, node scans over the source code to attempt to detect the set of export names that the CommonJS module will end up using. That statically-determined set of names is used as the set of names that the ES module is allowed to import at module instantiation time. However, this scan appears to have bugs (or at least, can cause false positives) because it doesn't appear to do any scope analysis. Node will incorrectly consider the module to export something even if the assignment is done to a local variable instead of to the module-level
exports
object. For example:You can see that node incorrectly thinks the file
confuseNode.js
has an export callednotAnExport
when that file is loaded in an ES module context:To avoid this, esbuild will now rename local variables that use the names
exports
andmodule
when generating CommonJS output for thenode
platform.Fix the return value of esbuild's
super()
shim (#3538)Some people write
constructor
methods that use the return value ofsuper()
instead of usingthis
. This isn't too common because TypeScript doesn't let you do that but it can come up when writing JavaScript. Previously esbuild's class lowering transform incorrectly transformed the return value ofsuper()
intoundefined
. With this release, the return value ofsuper()
will now bethis
instead:class Foo extends Object {
field
constructor() {
console.log(typeof super())
}
}
new Foo
// Old output (with --target=es6)
class Foo extends Object {
constructor() {
var __super = (...args) => {
super(...args);
__publicField(this, "field");
};
console.log(typeof __super());
}
}
new Foo();
// New output (with --target=es6)
class Foo extends Object {
constructor() {
var __super = (...args) => {
super(...args);
__publicField(this, "field");
return this;
};
console.log(typeof __super());
}
}
new Foo();
Terminate the Go GC when esbuild's
stop()
API is called (#3552)If you use esbuild with WebAssembly and pass the
worker: false
flag toesbuild.initialize()
, then esbuild will run the WebAssembly module on the main thread. If you do this within a Deno test and that test callsesbuild.stop()
to clean up esbuild's resources, Deno may complain that asetTimeout()
call lasted past the end of the test. This happens when the Go is in the middle of a garbage collection pass and has scheduled additional ongoing garbage collection work. Normally callingesbuild.stop()
will terminate the web worker that the WebAssembly module runs in, which will terminate the Go GC, but that doesn't happen if you disable the web worker withworker: false
.With this release, esbuild will now attempt to terminate the Go GC in this edge case by calling
clearTimeout()
on these pending timeouts.Apply
/* @ __NO_SIDE_EFFECTS__ */
on tagged template literals (#3511)Tagged template literals that reference functions annotated with a
@ __NO_SIDE_EFFECTS__
comment are now able to be removed via tree-shaking if the result is unused. This is a convention from Rollup. Here is an example:const html = / @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b })
html
<span class="pl-kos"><</span><span class="pl-ent">a</span><span class="pl-kos">></span>remove<span class="pl-kos"></</span><span class="pl-ent">a</span><span class="pl-kos">></span>
x = html
<span class="pl-kos"><</span><span class="pl-ent">b</span><span class="pl-kos">></span>keep<span class="pl-kos"></</span><span class="pl-ent">b</span><span class="pl-kos">></span>
// Old output (with --tree-shaking=true)
const html = /* @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b });
html
<span class="pl-kos"><</span><span class="pl-ent">a</span><span class="pl-kos">></span>remove<span class="pl-kos"></</span><span class="pl-ent">a</span><span class="pl-kos">></span>
;x = html
<span class="pl-kos"><</span><span class="pl-ent">b</span><span class="pl-kos">></span>keep<span class="pl-kos"></</span><span class="pl-ent">b</span><span class="pl-kos">></span>
;// New output (with --tree-shaking=true)
const html = /* @ NO_SIDE_EFFECTS */ (a, ...b) => ({ a, b });
x = html
<span class="pl-kos"><</span><span class="pl-ent">b</span><span class="pl-kos">></span>keep<span class="pl-kos"></</span><span class="pl-ent">b</span><span class="pl-kos">></span>
;Note that this feature currently only works within a single file, so it's not especially useful. This feature does not yet work across separate files. I still recommend using
@ __PURE__
annotations instead of this feature, as they have wider tooling support. The drawback of course is that@ __PURE__
annotations need to be added at each call site, not at the declaration, and for non-call expressions such as template literals you need to wrap the expression in an IIFE (immediately-invoked function expression) to create a call expression to apply the@ __PURE__
annotation to.Publish builds for IBM AIX PowerPC 64-bit (#3549)
This release publishes a binary executable to npm for IBM AIX PowerPC 64-bit, which means that in theory esbuild can now be installed in that environment with
npm install esbuild
. This hasn't actually been tested yet. If you have access to such a system, it would be helpful to confirm whether or not doing this actually works.Read more
Add a treemap chart to esbuild's bundle analyzer (#2848)
The bundler analyzer on esbuild's website (https://esbuild.github.io/analyze/) now has a treemap chart type in addition to the two existing chart types (sunburst and flame). This should be more familiar for people coming from other similar tools, as well as make better use of large screens.
Allow decorators after the
export
keyword (#104)Previously esbuild's decorator parser followed the original behavior of TypeScript's experimental decorators feature, which only allowed decorators to come before the
export
keyword. However, the upcoming JavaScript decorators feature also allows decorators to come after theexport
keyword. And with TypeScript 5.0, TypeScript now also allows experimental decorators to come after theexport
keyword too. So esbuild now allows this as well:@decorator export class Foo {}
@decorator export default class Foo {}
// This new syntax is now permitted too:
export @decorator class Foo {}
export default @decorator class Foo {}
In addition, esbuild's decorator parser has been rewritten to fix several subtle and likely unimportant edge cases with esbuild's parsing of exports and decorators in TypeScript (e.g. TypeScript apparently does automatic semicolon insertion after
interface
andexport interface
but not afterexport default interface
).Pretty-print decorators using the same whitespace as the original
When printing code containing decorators, esbuild will now try to respect whether the original code contained newlines after the decorator or not. This can make generated code containing many decorators much more compact to read:
class Foo {
@a @b @c abc
@x @y @z xyz
}
// Old output
class Foo {
@a
@b
@c
abc;
@x
@y
@z
xyz;
}
// New output
class Foo {
@a @b @c abc;
@x @y @z xyz;
}
Read more
Read more
Read more
Read more
Read more
Read more
Read more
Commit messages
Package name: esbuild
transformPage
sveltejs/kit#3511: `@ __NO_SIDE_EFFECTS__` with templatesCompare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs