[Snyk] Upgrade esbuild from 0.17.19 to 0.19.2

[jaesub-ahn]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.17.19 to 0.19.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 24 versions ahead of your current version.
• The recommended version was released a month ago, on 2023-08-14.

Release notes

Package name: esbuild

• 0.19.2 - 2023-08-14
  

  • Update how CSS nesting is parsed again

    CSS nesting syntax has been changed again, and esbuild has been updated to match. Type selectors may now be used with CSS nesting:

    .foo {
      div {
        color: red;
      }
    }

    Previously this was disallowed in the CSS specification because it's ambiguous whether an identifier is a declaration or a nested rule starting with a type selector without requiring unbounded lookahead in the parser. It has now been allowed because the CSS working group has decided that requiring unbounded lookahead is acceptable after all.

    Note that this change means esbuild no longer considers any existing browser to support CSS nesting since none of the existing browsers support this new syntax. CSS nesting will now always be transformed when targeting a browser. This situation will change in the future as browsers add support for this new syntax.

  • Fix a scope-related bug with --drop-labels= (#3311)

    The recently-released --drop-labels= feature previously had a bug where esbuild's internal scope stack wasn't being restored properly when a statement with a label was dropped. This could manifest as a tree-shaking issue, although it's possible that this could have also been causing other subtle problems too. The bug has been fixed in this release.

  • Make renamed CSS names unique across entry points (#3295)

    Previously esbuild's generated names for local names in CSS were only unique within a given entry point (or across all entry points when code splitting was enabled). That meant that building multiple entry points with esbuild could result in local names being renamed to the same identifier even when those entry points were built simultaneously within a single esbuild API call. This problem was especially likely to happen with minification enabled. With this release, esbuild will now avoid renaming local names from two separate entry points to the same name if those entry points were built with a single esbuild API call, even when code splitting is disabled.

  • Fix CSS ordering bug with @ layer before @ import

    CSS lets you put @ layer rules before @ import rules to define the order of layers in a stylesheet. Previously esbuild's CSS bundler incorrectly ordered these after the imported files because before the introduction of cascade layers to CSS, imported files could be bundled by removing the @ import rules and then joining files together in the right order. But with @ layer, CSS files may now need to be split apart into multiple pieces in the bundle. For example:

    / Original code */
    @ layer start;
    @ import "data:text/css,@ layer inner.start;";
    @ import "data:text/css,@ layer inner.end;";
    @ layer end;

    /* Old output (with --bundle) */
    @ layer inner.start;
    @ layer inner.end;
    @ layer start;
    @ layer end;

    /* New output (with --bundle) */
@ layer start;
@ layer inner.start;
@ layer inner.end;
@ layer end;


  • Unwrap nested duplicate @ media rules (#3226)

    With this release, esbuild's CSS minifier will now automatically unwrap duplicate nested @ media rules:

    / Original code */
    @ media (min-width: 1024px) {
    .foo { color: red }
    @ media (min-width: 1024px) {
    .bar { color: blue }
    }
    }

    /* Old output (with --minify) */
    @ media (min-width: 1024px){.foo{color:red}@ media (min-width: 1024px){.bar{color:#00f}}}

    /* New output (with --minify) */
    @ media (min-width: 1024px){.foo{color:red}.bar{color:#00f}}

    These rules are unlikely to be authored manually but may result from using frameworks such as Tailwind to generate CSS.

• 0.19.1 - 2023-08-11
  

  • Fix a regression with baseURL in tsconfig.json (#3307)

    The previous release moved tsconfig.json path resolution before --packages=external checks to allow the paths field in tsconfig.json to avoid a package being marked as external. However, that reordering accidentally broke the behavior of the baseURL field from tsconfig.json. This release moves these path resolution rules around again in an attempt to allow both of these cases to work.

  • Parse TypeScript type arguments for JavaScript decorators (#3308)

    When parsing JavaScript decorators in TypeScript (i.e. with experimentalDecorators disabled), esbuild previously didn't parse type arguments. Type arguments will now be parsed starting with this release. For example:

    @foo<number>
    @bar<number, string>()
    class Foo {}

  • Fix glob patterns matching extra stuff at the end (#3306)

    Previously glob patterns such as ./*.js would incorrectly behave like ./*.js* during path matching (also matching .js.map files, for example). This was never intentional behavior, and has now been fixed.

  • Change the permissions of esbuild's generated output files (#3285)

    This release changes the permissions of the output files that esbuild generates to align with the default behavior of node's fs.writeFileSync function. Since most tools written in JavaScript use fs.writeFileSync, this should make esbuild more consistent with how other JavaScript build tools behave.

    The full Unix-y details: Unix permissions use three-digit octal notation where the three digits mean "user, group, other" in that order. Within a digit, 4 means "read" and 2 means "write" and 1 means "execute". So 6 == 4 + 2 == read + write. Previously esbuild uses 0644 permissions (the leading 0 means octal notation) but the permissions for fs.writeFileSync defaults to 0666, so esbuild will now use 0666 permissions. This does not necessarily mean that the files esbuild generates will end up having 0666 permissions, however, as there is another Unix feature called "umask" where the operating system masks out some of these bits. If your umask is set to 0022 then the generated files will have 0644 permissions, and if your umask is set to 0002 then the generated files will have 0664 permissions.

  • Fix a subtle CSS ordering issue with @ import and @ layer

    With this release, esbuild may now introduce additional @ layer rules when bundling CSS to better preserve the layer ordering of the input code. Here's an example of an edge case where this matters:

    /* entry.css */
    @ import "a.css";
    @ import "b.css";
    @ import "a.css";

    /* a.css */
    @ layer a {
      body {
        background: red;
      }
    }

    /* b.css */
    @ layer b {
      body {
        background: green;
      }
    }

    This CSS should set the body background to green, which is what happens in the browser. Previously esbuild generated the following output which incorrectly sets the body background to red:

    / b.css */
    @ layer b {
    body {
    background: green;
    }
    }

    /* a.css */
    @ layer a {
    body {
    background: red;
    }
    }

    This difference in behavior is because the browser evaluates a.css + b.css + a.css (in CSS, each @ import is replaced with a copy of the imported file) while esbuild was only writing out b.css + a.css. The first copy of a.css wasn't being written out by esbuild for two reasons: 1) bundlers care about code size and try to avoid emitting duplicate CSS and 2) when there are multiple copies of a CSS file, normally only the last copy matters since the last declaration with equal specificity wins in CSS.

    However, @ layer was recently added to CSS and for @ layer the first copy matters because layers are ordered using their first location in source code order. This introduction of @ layer means esbuild needs to change its bundling algorithm. An easy solution would be for esbuild to write out a.css twice, but that would be inefficient. So what I'm going to try to have esbuild do with this release is to write out an abbreviated form of the first copy of a CSS file that only includes the @ layer information, and then still only write out the full CSS file once for the last copy. So esbuild's output for this edge case now looks like this:

    / a.css */
    @ layer a;

    /* b.css */
    @ layer b {
    body {
    background: green;
    }
    }

    /* a.css */
    @ layer a {
    body {
    background: red;
    }
    }

    The behavior of the bundled CSS now matches the behavior of the unbundled CSS. You may be wondering why esbuild doesn't just write out a.css first followed by b.css. That would work in this case but it doesn't work in general because for any rules outside of a @ layer rule, the last copy should still win instead of the first copy.

  • Fix a bug with esbuild's TypeScript type definitions (#3299)

    This release fixes a copy/paste error with the TypeScript type definitions for esbuild's JS API:

     export interface TsconfigRaw {
       compilerOptions?: {
    -    baseUrl?: boolean
    +    baseUrl?: string
         ...
       }
     }

    This fix was contributed by @ privatenumber.

• 0.19.0 - 2023-08-08
  Read more
• 0.18.20 - 2023-08-08
  

  • Support advanced CSS @ import rules (#953, #3137)

    CSS @ import statements have been extended to allow additional trailing tokens after the import path. These tokens sort of make the imported file behave as if it were wrapped in a @ layer, @ supports, and/or @ media rule. Here are some examples:

    @ import url(foo.css);
    @ import url(foo.css) layer;
    @ import url(foo.css) layer(bar);
    @ import url(foo.css) layer(bar) supports(display: flex);
    @ import url(foo.css) layer(bar) supports(display: flex) print;
    @ import url(foo.css) layer(bar) print;
    @ import url(foo.css) supports(display: flex);
    @ import url(foo.css) supports(display: flex) print;
    @ import url(foo.css) print;

    You can read more about this advanced syntax here. With this release, esbuild will now bundle @ import rules with these trailing tokens and will wrap the imported files in the corresponding rules. Note that this now means a given imported file can potentially appear in multiple places in the bundle. However, esbuild will still only load it once (e.g. on-load plugins will only run once per file, not once per import).

• 0.18.19 - 2023-08-07
  Read more
• 0.18.18 - 2023-08-05
  Read more
• 0.18.17 - 2023-07-26
  Read more
• 0.18.16 - 2023-07-23
  

  • Fix a regression with whitespace inside :is() (#3265)

    The change to parse the contents of :is() in version 0.18.14 introduced a regression that incorrectly flagged the contents as a syntax error if the contents started with a whitespace token (for example div:is( .foo ) {}). This regression has been fixed.

• 0.18.15 - 2023-07-20
  Read more
• 0.18.14 - 2023-07-18
  Read more
• 0.18.13 - 2023-07-15
• 0.18.12 - 2023-07-13
• 0.18.11 - 2023-07-01
• 0.18.10 - 2023-06-26
• 0.18.9 - 2023-06-26
• 0.18.8 - 2023-06-25
• 0.18.7 - 2023-06-24
• 0.18.6 - 2023-06-20
• 0.18.5 - 2023-06-20
• 0.18.4 - 2023-06-16
• 0.18.3 - 2023-06-15
• 0.18.2 - 2023-06-13
• 0.18.1 - 2023-06-12
• 0.18.0 - 2023-06-09
• 0.17.19 - 2023-05-13

from esbuild GitHub release notes

Commit messages

Package name: esbuild

• 09a1001 publish 0.19.2 to npm
• 4d9b764 fix Dynamic import preload step references document in web workers. vitejs/vite#3311: pop scope after `--drop-labels=` runs
• f2d23b2 fix some typos
• e76780c css: further changes to css nesting syntax
• 71f4a5a update compat-table (note: css nesting changed)
• eb667c3 css: try to merge adjacent `@ layer` rules together
• f759693 css: fix ordering with `@ layer` before `@ import`
• c73f0f8 css: extract wrapping logic to a helper function
• a05a2f9 css: make source index on compile results optional
• bb16fb7 css: parser separates layers pre/post `@ import`
• 78b59e6 fix chore(ci): remove circle and appveyor ci vitejs/vite#3226: unwrap nested duplicate `@ media` rules
• 009beb1 fix library mode can't extract static assets vitejs/vite#3295: better avoid css local name collisions
• 49801f7 publish 0.19.1 to npm
• 1fca4aa fix Failed to fetch when dynamically importing css file after built vitejs/vite#3307: regression with tsconfig `baseURL`
• a973f87 fix Internal server error: Failed to resolve import "./chunk-RZYNWZ5R.js" from "node_modules/.vite/chunk-NS64VXF3.js?v=ae066764". Does the file exist? vitejs/vite#3308: TS type arguments for JS decorators
• be9e098 fix Shared folder in mono repo vitejs/vite#3306: handle lack of a trailing glob wildcard
• 83917cf css: handle external `@ import` condition chains
• d81d759 adjust source range for duplicate case warning
• 4b67d82 tsconfig: options outside compilerOptions (HMR breaks when modifying React context provider vitejs/vite#3301)
• 813fb3a api: reduce console output when an error is thrown
• ab9007c fix(TsconfigRaw): `baseUrl` to be string (Can be configured to close the wasm pre-compile vitejs/vite#3299)
• 4202ea0 css: fix ordering with `@ import` and `@ layer`
• ef62fd7 linker: remove a level of indentation
• 8a50eb3 fix [vite] Internal server error: Cannot read property 'url' of undefined vitejs/vite#3285: output file permissions: 0644 => 0666

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs