[Snyk] Upgrade esbuild from 0.18.20 to 0.19.1 #287

fraxken · 2023-09-03T18:00:24Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.18.20 to 0.19.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 2 versions ahead of your current version.
The recommended version was released 23 days ago, on 2023-08-11.

Release notes

Package name: esbuild

0.19.1 - 2023-08-11
- Fix a regression with baseURL in tsconfig.json (#3307)
  
  The previous release moved tsconfig.json path resolution before --packages=external checks to allow the paths field in tsconfig.json to avoid a package being marked as external. However, that reordering accidentally broke the behavior of the baseURL field from tsconfig.json. This release moves these path resolution rules around again in an attempt to allow both of these cases to work.
- Parse TypeScript type arguments for JavaScript decorators (#3308)
  
  When parsing JavaScript decorators in TypeScript (i.e. with experimentalDecorators disabled), esbuild previously didn't parse type arguments. Type arguments will now be parsed starting with this release. For example:
```
@foo<number>
@bar<number, string>()
class Foo {}
```
- Fix glob patterns matching extra stuff at the end (#3306)
  
  Previously glob patterns such as ./*.js would incorrectly behave like ./*.js* during path matching (also matching .js.map files, for example). This was never intentional behavior, and has now been fixed.
- Change the permissions of esbuild's generated output files (#3285)
  
  This release changes the permissions of the output files that esbuild generates to align with the default behavior of node's fs.writeFileSync function. Since most tools written in JavaScript use fs.writeFileSync, this should make esbuild more consistent with how other JavaScript build tools behave.
  
  The full Unix-y details: Unix permissions use three-digit octal notation where the three digits mean "user, group, other" in that order. Within a digit, 4 means "read" and 2 means "write" and 1 means "execute". So 6 == 4 + 2 == read + write. Previously esbuild uses 0644 permissions (the leading 0 means octal notation) but the permissions for fs.writeFileSync defaults to 0666, so esbuild will now use 0666 permissions. This does not necessarily mean that the files esbuild generates will end up having 0666 permissions, however, as there is another Unix feature called "umask" where the operating system masks out some of these bits. If your umask is set to 0022 then the generated files will have 0644 permissions, and if your umask is set to 0002 then the generated files will have 0664 permissions.
- Fix a subtle CSS ordering issue with @ import and @ layer
  
  With this release, esbuild may now introduce additional @ layer rules when bundling CSS to better preserve the layer ordering of the input code. Here's an example of an edge case where this matters:
```
/* entry.css */
@ import "a.css";
@ import "b.css";
@ import "a.css";
```
```
/* a.css */
@ layer a {
  body {
    background: red;
  }
}
```
```
/* b.css */
@ layer b {
  body {
    background: green;
  }
}
```
  This CSS should set the body background to green, which is what happens in the browser. Previously esbuild generated the following output which incorrectly sets the body background to red:
  
  / b.css */
  @ layer b {
  body {
  background: green;
  }
  }
  
  /* a.css */
  @ layer a {
  body {
  background: red;
  }
  }
  
  This difference in behavior is because the browser evaluates a.css + b.css + a.css (in CSS, each @ import is replaced with a copy of the imported file) while esbuild was only writing out b.css + a.css. The first copy of a.css wasn't being written out by esbuild for two reasons: 1) bundlers care about code size and try to avoid emitting duplicate CSS and 2) when there are multiple copies of a CSS file, normally only the last copy matters since the last declaration with equal specificity wins in CSS.
  
  However, @ layer was recently added to CSS and for @ layer the first copy matters because layers are ordered using their first location in source code order. This introduction of @ layer means esbuild needs to change its bundling algorithm. An easy solution would be for esbuild to write out a.css twice, but that would be inefficient. So what I'm going to try to have esbuild do with this release is to write out an abbreviated form of the first copy of a CSS file that only includes the @ layer information, and then still only write out the full CSS file once for the last copy. So esbuild's output for this edge case now looks like this:
  
  / a.css */
  @ layer a;
  
  /* b.css */
  @ layer b {
  body {
  background: green;
  }
  }
  
  /* a.css */
  @ layer a {
  body {
  background: red;
  }
  }
  
  The behavior of the bundled CSS now matches the behavior of the unbundled CSS. You may be wondering why esbuild doesn't just write out a.css first followed by b.css. That would work in this case but it doesn't work in general because for any rules outside of a @ layer rule, the last copy should still win instead of the first copy.
- Fix a bug with esbuild's TypeScript type definitions (#3299)
  
  This release fixes a copy/paste error with the TypeScript type definitions for esbuild's JS API:
```
 export interface TsconfigRaw {
   compilerOptions?: {
-    baseUrl?: boolean
+    baseUrl?: string
     ...
   }
 }
```
  This fix was contributed by @ privatenumber.
0.19.0 - 2023-08-08
This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.18.0 or ~0.18.0. See npm's documentation about semver for more information.
- Handle import paths containing wildcards (#56, #700, #875, #976, #2221, #2515)
  
  This release introduces wildcards in import paths in two places:
  - Entry points
    
    You can now pass a string containing glob-style wildcards such as ./src/*.ts as an entry point and esbuild will search the file system for files that match the pattern. This can be used to easily pass esbuild all files with a certain extension on the command line in a cross-platform way. Previously you had to rely on the shell to perform glob expansion, but that is obviously shell-dependent and didn't work at all on Windows. Note that to use this feature on the command line you will have to quote the pattern so it's passed verbatim to esbuild without any expansion by the shell. Here's an example:
```
esbuild --minify "./src/*.ts" --outdir=out
```
    Specifically the * character will match any character except for the / character, and the /**/ character sequence will match a path separator followed by zero or more path elements. Other wildcard operators found in glob patterns such as ? and [...] are not supported.
  - Run-time import paths
    
    Import paths that are evaluated at run-time can now be bundled in certain limited situations. The import path expression must be a form of string concatenation and must start with either ./ or ../. Each non-string expression in the string concatenation chain becomes a wildcard. The * wildcard is chosen unless the previous character is a /, in which case the /**/* character sequence is used. Some examples:
```
// These two forms are equivalent
const json1 = await import('./data/' + kind + '.json')
const json2 = await import(`./data/${kind}.json`)
```
    This feature works with require(...) and import(...) because these can all accept run-time expressions. It does not work with import and export statements because these cannot accept run-time expressions. If you want to prevent esbuild from trying to bundle these imports, you should move the string concatenation expression outside of the require(...) or import(...). For example:
    
    // This will be bundled
    const json1 = await import('./data/' + kind + '.json')
    
    // This will not be bundled
    const path = './data/' + kind + '.json'
    const json2 = await import(path)
    
    Note that using this feature means esbuild will potentially do a lot of file system I/O to find all possible files that might match the pattern. This is by design, and is not a bug. If this is a concern, I recommend either avoiding the /**/ pattern (e.g. by not putting a / before a wildcard) or using this feature only in directory subtrees which do not have many files that don't match the pattern (e.g. making a subdirectory for your JSON files and explicitly including that subdirectory in the pattern).
- Path aliases in tsconfig.json no longer count as packages (#2792, #3003, #3160, #3238)
  
  Setting --packages=external tells esbuild to make all import paths external when they look like a package path. For example, an import of ./foo/bar is not a package path and won't be external while an import of foo/bar is a package path and will be external. However, the paths field in tsconfig.json allows you to create import paths that look like package paths but that do not resolve to packages. People do not want these paths to count as package paths. So with this release, the behavior of --packages=external has been changed to happen after the tsconfig.json path remapping step.
- Use the local-css loader for .module.css files by default (#20)
  
  With this release the css loader is still used for .css files except that .module.css files now use the local-css loader. This is a common convention in the web development community. If you need .module.css files to use the css loader instead, then you can override this behavior with --loader:.module.css=css.
0.18.20 - 2023-08-08
- Support advanced CSS @ import rules (#953, #3137)
  
  CSS @ import statements have been extended to allow additional trailing tokens after the import path. These tokens sort of make the imported file behave as if it were wrapped in a @ layer, @ supports, and/or @ media rule. Here are some examples:
```
@ import url(foo.css);
@ import url(foo.css) layer;
@ import url(foo.css) layer(bar);
@ import url(foo.css) layer(bar) supports(display: flex);
@ import url(foo.css) layer(bar) supports(display: flex) print;
@ import url(foo.css) layer(bar) print;
@ import url(foo.css) supports(display: flex);
@ import url(foo.css) supports(display: flex) print;
@ import url(foo.css) print;
```
  You can read more about this advanced syntax here. With this release, esbuild will now bundle @ import rules with these trailing tokens and will wrap the imported files in the corresponding rules. Note that this now means a given imported file can potentially appear in multiple places in the bundle. However, esbuild will still only load it once (e.g. on-load plugins will only run once per file, not once per import).

from esbuild GitHub release notes

Commit messages

Package name: esbuild

49801f7 publish 0.19.1 to npm
1fca4aa fix #3307: regression with tsconfig `baseURL`
a973f87 fix #3308: TS type arguments for JS decorators
be9e098 fix #3306: handle lack of a trailing glob wildcard
83917cf css: handle external `@ import` condition chains
d81d759 adjust source range for duplicate case warning
4b67d82 tsconfig: options outside compilerOptions (#3301)
813fb3a api: reduce console output when an error is thrown
ab9007c fix(TsconfigRaw): `baseUrl` to be string (#3299)
4202ea0 css: fix ordering with `@ import` and `@ layer`
ef62fd7 linker: remove a level of indentation
8a50eb3 fix #3285: output file permissions: 0644 => 0666
c337498 publish 0.19.0 to npm
0b79ab2 this is a breaking change release
cb46459 fix #3003, fix #3238: `--packages=` and `tsconfig`
727e5ff css: use `local-css` for `.module.css` files (chore(deps-dev): bump jest from 25.1.0 to 25.2.6 #20)
be9f8e5 implement glob-style path resolution
8e14e25 add the `__glob` runtime helper method
c067c5e remove an unnecessary argument
6e05434 Update README.md