[Snyk] Upgrade esbuild from 0.15.18 to 0.17.13 #318

snyk-bot · 2023-04-15T14:29:42Z

Snyk has created this PR to upgrade esbuild from 0.15.18 to 0.17.13.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 32 versions ahead of your current version.
The recommended version was released 22 days ago, on 2023-03-24.

Release notes

Package name: esbuild

0.17.13 - 2023-03-24
- Work around an issue with NODE_PATH and Go's WebAssembly internals (#3001)
  
  Go's WebAssembly implementation returns EINVAL instead of ENOTDIR when using the readdir syscall on a file. This messes up esbuild's implementation of node's module resolution algorithm since encountering ENOTDIR causes esbuild to continue its search (since it's a normal condition) while other encountering other errors causes esbuild to fail with an I/O error (since it's an unexpected condition). You can encounter this issue in practice if you use node's legacy NODE_PATH feature to tell esbuild to resolve node modules in a custom directory that was not installed by npm. This release works around this problem by converting EINVAL into ENOTDIR for the readdir syscall.
- Fix a minification bug with CSS @ layer rules that have parsing errors (#3016)
  
  CSS at-rules require either a {} block or a semicolon at the end. Omitting both of these causes esbuild to treat the rule as an unknown at-rule. Previous releases of esbuild had a bug that incorrectly removed unknown at-rules without any children during minification if the at-rule token matched an at-rule that esbuild can handle. Specifically cssnano can generate @ layer rules with parsing errors, and empty @ layer rules cannot be removed because they have side effects (@ layer didn't exist when esbuild's CSS support was added, so esbuild wasn't written to handle this). This release changes esbuild to no longer discard @ layer rules with parsing errors when minifying (the rule @ layer c has a parsing error):
  
  / Original input */
  @ layer a {
  @ layer b {
  @ layer c
  }
  }
  
  /* Old output (with --minify) */
  @ layer a.b;
  
  /* New output (with --minify) */
  @ layer a.b.c;
- Unterminated strings in CSS are no longer an error
  
  The CSS specification provides rules for handling parsing errors. One of those rules is that user agents must close strings upon reaching the end of a line (i.e., before an unescaped line feed, carriage return or form feed character), but then drop the construct (declaration or rule) in which the string was found. For example:
```
p {
  color: green;
  font-family: 'Courier New Times
  color: red;
  color: green;
}
```
  ...would be treated the same as:
```
p { color: green; color: green; }
```
  ...because the second declaration (from font-family to the semicolon after color: red) is invalid and is dropped.
  
  Previously using this CSS with esbuild failed to build due to a syntax error, even though the code can be interpreted by a browser. With this release, the code now produces a warning instead of an error, and esbuild prints the invalid CSS such that it stays invalid in the output:
```
/* esbuild's new non-minified output: */
p {
  color: green;
  font-family: 'Courier New Times
  color: red;
  color: green;
}
```
```
/* esbuild's new minified output: */
p{font-family:'Courier New Times
color: red;color:green}
```
0.17.12 - 2023-03-17
- Fix a crash when parsing inline TypeScript decorators (#2991)
  
  Previously esbuild's TypeScript parser crashed when parsing TypeScript decorators if the definition of the decorator was inlined into the decorator itself:
```
@(function sealed(constructor: Function) {
  Object.seal(constructor);
  Object.seal(constructor.prototype);
})
class Foo {}
```
  This crash was not noticed earlier because this edge case did not have test coverage. The crash is fixed in this release.
0.17.11 - 2023-03-03
- Fix the alias feature to always prefer the longest match (#2963)
  
  It's possible to configure conflicting aliases such as --alias:a=b and --alias:a/c=d, which is ambiguous for the import path a/c/x (since it could map to either b/c/x or d/x). Previously esbuild would pick the first matching alias, which would non-deterministically pick between one of the possible matches. This release fixes esbuild to always deterministically pick the longest possible match.
- Minify calls to some global primitive constructors (#2962)
  
  With this release, esbuild's minifier now replaces calls to Boolean/Number/String/BigInt with equivalent shorter code when relevant:
  
  // Original code
  console.log(
  Boolean(a ? (b | c) !== 0 : (c & d) !== 0),
  Number(e ? '1' : '2'),
  String(e ? '1' : '2'),
  BigInt(e ? 1n : 2n),
  )
  
  // Old output (with --minify)
  console.log(Boolean(a?(b|c)!==0:(c&d)!==0),Number(e?"1":"2"),String(e?"1":"2"),BigInt(e?1n:2n));
  
  // New output (with --minify)
  console.log(!!(a?b|c:c&d),+(e?"1":"2"),e?"1":"2",e?1n:2n);
- Adjust some feature compatibility tables for node (#2940)
  
  This release makes the following adjustments to esbuild's internal feature compatibility tables for node, which tell esbuild which versions of node are known to support all aspects of that feature:
  - class-private-brand-checks: node v16.9+ => node v16.4+ (a decrease)
  - hashbang: node v12.0+ => node v12.5+ (an increase)
  - optional-chain: node v16.9+ => node v16.1+ (a decrease)
  - template-literal: node v4+ => node v10+ (an increase)
  Each of these adjustments was identified by comparing against data from the node-compat-table package and was manually verified using old node executables downloaded from https://nodejs.org/download/release/.
0.17.10 - 2023-02-20
- Update esbuild's handling of CSS nesting to match the latest specification changes (#1945)
  
  The syntax for the upcoming CSS nesting feature has recently changed. The @ nest prefix that was previously required in some cases is now gone, and nested rules no longer have to start with & (as long as they don't start with an identifier or function token).
  
  This release updates esbuild's pass-through handling of CSS nesting syntax to match the latest specification changes. So you can now use esbuild to bundle CSS containing nested rules and try them out in a browser that supports CSS nesting (which includes nightly builds of both Chrome and Safari).
  
  However, I'm not implementing lowering of nested CSS to non-nested CSS for older browsers yet. While the syntax has been decided, the semantics are still in flux. In particular, there is still some debate about changing the fundamental way that CSS nesting works. For example, you might think that the following CSS is equivalent to a .outer .inner button { ... } rule:
```
.inner button {
  .outer & {
    color: red;
  }
}
```
  But instead it's actually equivalent to a .outer :is(.inner button) { ... } rule which unintuitively also matches the following DOM structure:
```
<div class="inner">
  <div class="outer">
    <button></button>
  </div>
</div>
```
  The :is() behavior is preferred by browser implementers because it's more memory-efficient, but the straightforward translation into a .outer .inner button { ... } rule is preferred by developers used to the existing CSS preprocessing ecosystem (e.g. SASS). It seems premature to commit esbuild to specific semantics for this syntax at this time given the ongoing debate.
- Fix cross-file CSS rule deduplication involving url() tokens (#2936)
  
  Previously cross-file CSS rule deduplication didn't handle url() tokens correctly. These tokens contain references to import paths which may be internal (i.e. in the bundle) or external (i.e. not in the bundle). When comparing two url() tokens for equality, the underlying import paths should be compared instead of their references. This release of esbuild fixes url() token comparisons. One side effect is that @ font-face rules should now be deduplicated correctly across files:
  http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}@ font-face{src:url(http://example.com/font.ttf)}
  
  /* New output (with --bundle --minify) /
  @ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}">
```
/ Original code */

@ import "data:text/css, </span>

  @ import 'http://example.com/style.css'; </span>

  @ font-face { src: url(http://example.com/font.ttf) }";

@ import "data:text/css, </span>

  @ font-face { src: url(http://example.com/font.ttf) }";
/* Old output (with --bundle --minify) */

@ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}@ font-face{src:url(http://example.com/font.ttf)}
/* New output (with --bundle --minify) */

@ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}
```
0.17.9 - 2023-02-19
Read more
0.17.8 - 2023-02-13
Read more
0.17.7 - 2023-02-09
Read more
0.17.6 - 2023-02-06
Read more
0.17.5 - 2023-01-27
Read more
0.17.4 - 2023-01-22
Read more
0.17.3 - 2023-01-18
0.17.2 - 2023-01-17
0.17.1 - 2023-01-16
0.17.0 - 2023-01-14
0.16.17 - 2023-01-11
0.16.16 - 2023-01-08
0.16.15 - 2023-01-07
0.16.14 - 2023-01-04
0.16.13 - 2023-01-02
0.16.12 - 2022-12-28
0.16.11 - 2022-12-27
0.16.10 - 2022-12-19
0.16.9 - 2022-12-18
0.16.8 - 2022-12-16
0.16.7 - 2022-12-14
0.16.6 - 2022-12-14
0.16.5 - 2022-12-13
0.16.4 - 2022-12-10
0.16.3 - 2022-12-08
0.16.2 - 2022-12-08
0.16.1 - 2022-12-07
0.16.0 - 2022-12-07
0.15.18 - 2022-12-05