[Snyk] Upgrade esbuild from 0.17.19 to 0.19.7 #19

leonardoadame · 2023-12-16T23:49:24Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.17.19 to 0.19.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 29 versions ahead of your current version.
The recommended version was released a month ago, on 2023-11-21.

Release notes

Package name: esbuild

0.19.7 - 2023-11-21
- Add support for bundling code that uses import attributes (#3384)
 
 JavaScript is gaining new syntax for associating a map of string key-value pairs with individual ESM imports. The proposal is still a work in progress and is still undergoing significant changes before being finalized. However, the first iteration has already been shipping in Chromium-based browsers for a while, and the second iteration has landed in V8 and is now shipping in node, so it makes sense for esbuild to support it. Here are the two major iterations of this proposal (so far):
 1. Import assertions (deprecated, will not be standardized)
 - Uses the assert keyword
 - Does not affect module resolution
 - Causes an error if the assertion fails
 - Shipping in Chrome 91+ (and in esbuild 0.11.22+)
 2. Import attributes (currently set to become standardized)
 - Uses the with keyword
 - Affects module resolution
 - Unknown attributes cause an error
 - Shipping in node 21+
 You can already use esbuild to bundle code that uses import assertions (the first iteration). However, this feature is mostly useless for bundlers because import assertions are not allowed to affect module resolution. It's basically only useful as an annotation on external imports, which esbuild will then preserve in the output for use in a browser (which would otherwise refuse to load certain imports).
 
 With this release, esbuild now supports bundling code that uses import attributes (the second iteration). This is much more useful for bundlers because they are allowed to affect module resolution, which means the key-value pairs can be provided to plugins. Here's an example, which uses esbuild's built-in support for the upcoming JSON module standard:
 
 // On static imports
 import foo from './package.json' with { type: 'json' }
 console.log(foo)
 
 // On dynamic imports
 const bar = await import('./package.json', { with: { type: 'json' } })
 console.log(bar)
 
 One important consequence of the change in semantics between import assertions and import attributes is that two imports with identical paths but different import attributes are now considered to be different modules. This is because the import attributes are provided to the loader, which might then use those attributes during loading. For example, you could imagine an image loader that produces an image of a different size depending on the import attributes.
 
 Import attributes are now reported in the metafile and are now provided to on-load plugins as a map in the with property. For example, here's an esbuild plugin that turns all imports with a type import attribute equal to 'cheese' into a module that exports the cheese emoji:
 
 const cheesePlugin = {
 name: 'cheese',
 setup(build) {
 build.onLoad({ filter: /.*/ }, args => {
 if (args.with.type === 'cheese') return {
 contents: export default "🧀",
 }
 })
 }
 }
 
 require('esbuild').build({
 bundle: true,
 write: false,
 stdin: {
 contents:  import foo from 'data:text/javascript,' with { type: 'cheese' } console.log(foo)  ,
 },
 plugins: [cheesePlugin],
 }).then(result => {
 const code = new Function(result.outputFiles[0].text)
 code()
 })
 
 Warning: It's possible that the second iteration of this feature may change significantly again even though it's already shipping in real JavaScript VMs (since it has already happened once before). In that case, esbuild may end up adjusting its implementation to match the eventual standard behavior. So keep in mind that by using this, you are using an unstable upcoming JavaScript feature that may undergo breaking changes in the future.
- Adjust TypeScript experimental decorator behavior (#3230, #3326, #3394)
 
 With this release, esbuild will now allow TypeScript experimental decorators to access both static class properties and #private class names. For example:
 
 const check =
 <T,>(a: T, b: T): PropertyDecorator =>
 () => console.log(a === b)
 
 async function test() {
 class Foo {
 static #foo = 1
 static bar = 1 + Foo.#foo
 @check(Foo.#foo, 1) a: any
 @check(Foo.bar, await Promise.resolve(2)) b: any
 }
 }
 
 test().then(() => console.log('pass'))
 
 This will now print true true pass when compiled by esbuild. Previously esbuild evaluated TypeScript decorators outside of the class body, so it didn't allow decorators to access Foo or #foo. Now esbuild does something different, although it's hard to concisely explain exactly what esbuild is doing now (see the background section below for more information).
 
 Note that TypeScript's experimental decorator support is currently buggy: TypeScript's compiler passes this test if only the first @ check is present or if only the second @ check is present, but TypeScript's compiler fails this test if both checks are present together. I haven't changed esbuild to match TypeScript's behavior exactly here because I'm waiting for TypeScript to fix these bugs instead.
 
 Some background: TypeScript experimental decorators don't have consistent semantics regarding the context that the decorators are evaluated in. For example, TypeScript will let you use await within a decorator, which implies that the decorator runs outside the class body (since await isn't supported inside a class body), but TypeScript will also let you use #private names, which implies that the decorator runs inside the class body (since #private names are only supported inside a class body). The value of this in a decorator is also buggy (the run-time value of this changes if any decorator in the class uses a #private name but the type of this doesn't change, leading to the type checker no longer matching reality). These inconsistent semantics make it hard for esbuild to implement this feature as decorator evaluation happens in some superposition of both inside and outside the class body that is particular to the internal implementation details of the TypeScript compiler.
- Forbid --keep-names when targeting old browsers (#3477)
 
 The --keep-names setting needs to be able to assign to the name property on functions and classes. However, before ES6 this property was non-configurable, and attempting to assign to it would throw an error. So with this release, esbuild will no longer allow you to enable this setting while also targeting a really old browser.
0.19.6 - 2023-11-19
Read more
0.19.5 - 2023-10-17
- Fix a regression in 0.19.0 regarding paths in tsconfig.json (#3354)
  
  The fix in esbuild version 0.19.0 to process tsconfig.json aliases before the --packages=external setting unintentionally broke an edge case in esbuild's handling of certain tsconfig.json aliases where there are multiple files with the same name in different directories. This release adjusts esbuild's behavior for this edge case so that it passes while still processing aliases before --packages=external. Please read the linked issue for more details.
- Fix a CSS font property minification bug (#3452)
  
  This release fixes a bug where esbuild's CSS minifier didn't insert a space between the font size and the font family in the font CSS shorthand property in the edge case where the original source code didn't already have a space and the leading string token was shortened to an identifier:
  
  / Original code */
  .foo { font: 16px"Menlo"; }
  
  /* Old output (with --minify) */
  .foo{font:16pxMenlo}
  
  /* New output (with --minify) */
  .foo{font:16px Menlo}
- Fix bundling CSS with asset names containing spaces (#3410)
  
  Assets referenced via CSS url() tokens may cause esbuild to generate invalid output when bundling if the file name contains spaces (e.g. url(image 2.png)). With this release, esbuild will now quote all bundled asset references in url() tokens to avoid this problem. This only affects assets loaded using the file and copy loaders.
- Fix invalid CSS url() tokens in @ import rules (#3426)
  
  In the future, CSS url() tokens may contain additional stuff after the URL. This is irrelevant today as no CSS specification does this. But esbuild previously had a bug where using these tokens in an @ import rule resulted in malformed output. This bug has been fixed.
- Fix browser + false + type: module in package.json (#3367)
  
  The browser field in package.json allows you to map a file to false to have it be treated as an empty file when bundling for the browser. However, if package.json contains "type": "module" then all .js files will be considered ESM, not CommonJS. Importing a named import from an empty CommonJS file gives you undefined, but importing a named export from an empty ESM file is a build error. This release changes esbuild's interpretation of these files mapped to false in this situation from ESM to CommonJS to avoid generating build errors for named imports.
- Fix a bug in top-level await error reporting (#3400)
  
  Using require() on a file that contains top-level await is not allowed because require() must return synchronously and top-level await makes that impossible. You will get a build error if you try to bundle code that does this with esbuild. This release fixes a bug in esbuild's error reporting code for complex cases of this situation involving multiple levels of imports to get to the module containing the top-level await.
- Update to Unicode 15.1.0
  
  The character tables that determine which characters form valid JavaScript identifiers have been updated from Unicode version 15.0.0 to the newly-released Unicode version 15.1.0. I'm not putting an example in the release notes because all of the new characters will likely just show up as little squares since fonts haven't been updated yet. But you can read https://www.unicode.org/versions/Unicode15.1.0/#Summary for more information about the changes.
  
  This upgrade was contributed by @ JLHwung.
0.19.4 - 2023-09-28
Read more
0.19.3 - 2023-09-14
Read more
0.19.2 - 2023-08-14
Read more
0.19.1 - 2023-08-11
Read more
0.19.0 - 2023-08-08
Read more
0.18.20 - 2023-08-08
- Support advanced CSS @ import rules (#953, #3137)
  
  CSS @ import statements have been extended to allow additional trailing tokens after the import path. These tokens sort of make the imported file behave as if it were wrapped in a @ layer, @ supports, and/or @ media rule. Here are some examples:
```
@ import url(foo.css);
@ import url(foo.css) layer;
@ import url(foo.css) layer(bar);
@ import url(foo.css) layer(bar) supports(display: flex);
@ import url(foo.css) layer(bar) supports(display: flex) print;
@ import url(foo.css) layer(bar) print;
@ import url(foo.css) supports(display: flex);
@ import url(foo.css) supports(display: flex) print;
@ import url(foo.css) print;
```
  You can read more about this advanced syntax here. With this release, esbuild will now bundle @ import rules with these trailing tokens and will wrap the imported files in the corresponding rules. Note that this now means a given imported file can potentially appear in multiple places in the bundle. However, esbuild will still only load it once (e.g. on-load plugins will only run once per file, not once per import).
0.18.19 - 2023-08-07
Read more
0.18.18 - 2023-08-05
0.18.17 - 2023-07-26
0.18.16 - 2023-07-23
0.18.15 - 2023-07-20
0.18.14 - 2023-07-18
0.18.13 - 2023-07-15
0.18.12 - 2023-07-13
0.18.11 - 2023-07-01
0.18.10 - 2023-06-26
0.18.9 - 2023-06-26
0.18.8 - 2023-06-25
0.18.7 - 2023-06-24
0.18.6 - 2023-06-20
0.18.5 - 2023-06-20
0.18.4 - 2023-06-16
0.18.3 - 2023-06-15
0.18.2 - 2023-06-13
0.18.1 - 2023-06-12
0.18.0 - 2023-06-09
0.17.19 - 2023-05-13

from esbuild GitHub release notes

Commit messages

Package name: esbuild

a7773b3 publish 0.19.7 to npm
2886b5d more adjustments to import assertions/attributes
2dad830 add basic support for import assertions
6b9737a fix test262 crash in v8 due to renamed test
0d9f765 fix Get list of heading nodes for a page during SSR sveltejs/kit#3230, fix Endpoints - support form submissions for noscript and fetch users alike sveltejs/kit#3326, fix exclude fixtures from linguist sveltejs/kit#3394: update decorators
9fc1ed3 ast helpers: use a context object
00fa010 tree shaking: handle destructuring of an array
f361c7f fix #3477: forbid `--keep-names` if not supported
4c64c19 compat-table: sort kangax feature map
cd7b93f dev server: add a fallback `favicon.ico` handler
5ff29d5 fixes for graph-debug.html
6073a3a publish 0.19.6 to npm
19ff9d3 async arrow functions are not IIFEs
9fa4e79 inline IIFEs that return a single expression
6c4aa2c fix Update 01-routing.md sveltejs/kit#3454: crash with jsx-dev before super() call
4a1e576 fix set pnpm cache dir explicitly sveltejs/kit#3467: `formatMessages` edge case perf hack
20c2604 add some go tests for message formatting
5271f82 silence new warnings within `node_modules`
83e8c7f fix Update dependency @netlify/functions to ^0.11.0 sveltejs/kit#3485: map subpath imports to node built-ins
07e527d fix Remove destructuring of request sveltejs/kit#3453: use `Symbol.for` for missing symbols
50cead7 try adding a warning about suspicious uses of `=>`
e1dfdfc try adding a warning about suspicious uses of `??`
478807e fix insert http-equiv cache-control tag when prerendering sveltejs/kit#3493: `-webkit-` prefix for `mask-composite`
645734f fix the latest yarn breaking its own installation