[Snyk] Upgrade esbuild from 0.14.39 to 0.17.18

[retorquere]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.14.39 to 0.17.18.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

- The recommended version is **71 versions** ahead of your current version. - The recommended version was released **5 days ago**, on 2023-04-22.

Release notes

Package name: esbuild

• 0.17.18 - 2023-04-22
  

  • Fix non-default JSON import error with export {} from (#3070)

    This release fixes a bug where esbuild incorrectly identified statements of the form export { default as x } from "y" assert { type: "json" } as a non-default import. The bug did not affect code of the form import { default as x } from ... (only code that used the export keyword).

  • Fix a crash with an invalid subpath import (#3067)

    Previously esbuild could crash when attempting to generate a friendly error message for an invalid subpath import (i.e. an import starting with #). This happened because esbuild originally only supported the exports field and the code for that error message was not updated when esbuild later added support for the imports field. This crash has been fixed.

• 0.17.17 - 2023-04-16
  

  • Fix CSS nesting transform for top-level & (#3052)

    Previously esbuild could crash with a stack overflow when lowering CSS nesting rules with a top-level &, such as in the code below. This happened because esbuild's CSS nesting transform didn't handle top-level &, causing esbuild to inline the top-level selector into itself. This release handles top-level & by replacing it with the :scope pseudo-class:

    /* Original code */
    &,
    a {
      .b {
        color: red;
      }
    }
    
    /* New output (with --target=chrome90) */
    :is(:scope, a) .b {
      color: red;
    }

  • Support exports in package.json for extends in tsconfig.json (#3058)

    TypeScript 5.0 added the ability to use extends in tsconfig.json to reference a path in a package whose package.json file contains an exports map that points to the correct location. This doesn't automatically work in esbuild because tsconfig.json affects esbuild's path resolution, so esbuild's normal path resolution logic doesn't apply.

    This release adds support for doing this by adding some additional code that attempts to resolve the extends path using the exports field. The behavior should be similar enough to esbuild's main path resolution logic to work as expected.

    Note that esbuild always treats this extends import as a require() import since that's what TypeScript appears to do. Specifically the require condition will be active and the import condition will be inactive.

  • Fix watch mode with NODE_PATH (#3062)

    Node has a rarely-used feature where you can extend the set of directories that node searches for packages using the NODE_PATH environment variable. While esbuild supports this too, previously a bug prevented esbuild's watch mode from picking up changes to imported files that were contained directly in a NODE_PATH directory. You're supposed to use NODE_PATH for packages, but some people abuse this feature by putting files in that directory instead (e.g. node_modules/some-file.js instead of node_modules/some-pkg/some-file.js). The watch mode bug happens when you do this because esbuild first tries to read some-file.js as a directory and then as a file. Watch mode was incorrectly waiting for some-file.js to become a valid directory. This release fixes this edge case bug by changing watch mode to watch some-file.js as a file when this happens.

• 0.17.16 - 2023-04-10
  

  • Fix CSS nesting transform for triple-nested rules that start with a combinator (#3046)

    This release fixes a bug with esbuild where triple-nested CSS rules that start with a combinator were not transformed correctly for older browsers. Here's an example of such a case before and after this bug fix:

    /* Original input */
    .a {
      color: red;
      > .b {
        color: green;
        > .c {
          color: blue;
        }
      }
    }
    
    /* Old output (with --target=chrome90) */
    .a {
      color: red;
    }
    .a > .b {
      color: green;
    }
    .a .b > .c {
      color: blue;
    }
    
    /* New output (with --target=chrome90) */
    .a {
      color: red;
    }
    .a > .b {
      color: green;
    }
    .a > .b > .c {
      color: blue;
    }

  • Support --inject with a file loaded using the copy loader (#3041)

    This release now allows you to use --inject with a file that is loaded using the copy loader. The copy loader copies the imported file to the output directory verbatim and rewrites the path in the import statement to point to the copied output file. When used with --inject, this means the injected file will be copied to the output directory as-is and a bare import statement for that file will be inserted in any non-copy output files that esbuild generates.

    Note that since esbuild doesn't parse the contents of copied files, esbuild will not expose any of the export names as usable imports when you do this (in the way that esbuild's --inject feature is typically used). However, any side-effects that the injected file has will still occur.

• 0.17.15 - 2023-04-01
  

  • Allow keywords as type parameter names in mapped types (#3033)

    TypeScript allows type keywords to be used as parameter names in mapped types. Previously esbuild incorrectly treated this as an error. Code that does this is now supported:

    type Foo = 'a' | 'b' | 'c'
    type A = { [keyof in Foo]: number }
    type B = { [infer in Foo]: number }
    type C = { [readonly in Foo]: number }

  • Add annotations for re-exported modules in node (#2486, #3029)

    Node lets you import named imports from a CommonJS module using ESM import syntax. However, the allowed names aren't derived from the properties of the CommonJS module. Instead they are derived from an arbitrary syntax-only analysis of the CommonJS module's JavaScript AST.

    To accommodate node doing this, esbuild's ESM-to-CommonJS conversion adds a special non-executable "annotation" for node that describes the exports that node should expose in this scenario. It takes the form 0 && (module.exports = { ... }) and comes at the end of the file (0 && expr means expr is never evaluated).

    Previously esbuild didn't do this for modules re-exported using the export * from syntax. Annotations for these re-exports will now be added starting with this release:

    // Original input
    export { foo } from './foo'
    export * from './bar'
    
    // Old output (with --format=cjs --platform=node)
    ...
    0 && (module.exports = {
      foo
    });
    
    // New output (with --format=cjs --platform=node)
    ...
    0 && (module.exports = {
      foo,
      ...require("./bar")
    });

    Note that you need to specify both --format=cjs and --platform=node to get these node-specific annotations.

  • Avoid printing an unnecessary space in between a number and a . (#3026)

    JavaScript typically requires a space in between a number token and a . token to avoid the . being interpreted as a decimal point instead of a member expression. However, this space is not required if the number token itself contains a decimal point, an exponent, or uses a base other than 10. This release of esbuild now avoids printing the unnecessary space in these cases:

    // Original input
    foo(1000 .x, 0 .x, 0.1 .x, 0.0001 .x, 0xFFFF_0000_FFFF_0000 .x)
    
    // Old output (with --minify)
    foo(1e3 .x,0 .x,.1 .x,1e-4 .x,0xffff0000ffff0000 .x);
    
    // New output (with --minify)
    foo(1e3.x,0 .x,.1.x,1e-4.x,0xffff0000ffff0000.x);

  • Fix server-sent events with live reload when writing to the file system root (#3027)

    This release fixes a bug where esbuild previously failed to emit server-sent events for live reload when outdir was the file system root, such as /. This happened because / is the only path on Unix that cannot have a trailing slash trimmed from it, which was fixed by improved path handling.

• 0.17.14 - 2023-03-26
  Read more
• 0.17.13 - 2023-03-24
  

  • Work around an issue with NODE_PATH and Go's WebAssembly internals (#3001)

    Go's WebAssembly implementation returns EINVAL instead of ENOTDIR when using the readdir syscall on a file. This messes up esbuild's implementation of node's module resolution algorithm since encountering ENOTDIR causes esbuild to continue its search (since it's a normal condition) while other encountering other errors causes esbuild to fail with an I/O error (since it's an unexpected condition). You can encounter this issue in practice if you use node's legacy NODE_PATH feature to tell esbuild to resolve node modules in a custom directory that was not installed by npm. This release works around this problem by converting EINVAL into ENOTDIR for the readdir syscall.

  • Fix a minification bug with CSS @ layer rules that have parsing errors (#3016)

    CSS at-rules require either a {} block or a semicolon at the end. Omitting both of these causes esbuild to treat the rule as an unknown at-rule. Previous releases of esbuild had a bug that incorrectly removed unknown at-rules without any children during minification if the at-rule token matched an at-rule that esbuild can handle. Specifically cssnano can generate @ layer rules with parsing errors, and empty @ layer rules cannot be removed because they have side effects (@ layer didn't exist when esbuild's CSS support was added, so esbuild wasn't written to handle this). This release changes esbuild to no longer discard @ layer rules with parsing errors when minifying (the rule @ layer c has a parsing error):

    /* Original input */
    @ layer a {
      @ layer b {
        @ layer c
      }
    }
    
    /* Old output (with --minify) */
    @ layer a.b;
    
    /* New output (with --minify) */
    @ layer a.b.c;

  • Unterminated strings in CSS are no longer an error

    The CSS specification provides rules for handling parsing errors. One of those rules is that user agents must close strings upon reaching the end of a line (i.e., before an unescaped line feed, carriage return or form feed character), but then drop the construct (declaration or rule) in which the string was found. For example:

    p {
      color: green;
      font-family: 'Courier New Times
      color: red;
      color: green;
    }

    ...would be treated the same as:

    p { color: green; color: green; }

    ...because the second declaration (from font-family to the semicolon after color: red) is invalid and is dropped.

    Previously using this CSS with esbuild failed to build due to a syntax error, even though the code can be interpreted by a browser. With this release, the code now produces a warning instead of an error, and esbuild prints the invalid CSS such that it stays invalid in the output:

    /* esbuild's new non-minified output: */
    p {
      color: green;
      font-family: 'Courier New Times
      color: red;
      color: green;
    }

    /* esbuild's new minified output: */
    p{font-family:'Courier New Times
    color: red;color:green}

• 0.17.12 - 2023-03-17
  Read more
• 0.17.11 - 2023-03-03
  Read more
• 0.17.10 - 2023-02-20
  Read more
• 0.17.9 - 2023-02-19
  Read more
• 0.17.8 - 2023-02-13
• 0.17.7 - 2023-02-09
• 0.17.6 - 2023-02-06
• 0.17.5 - 2023-01-27
• 0.17.4 - 2023-01-22
• 0.17.3 - 2023-01-18
• 0.17.2 - 2023-01-17
• 0.17.1 - 2023-01-16
• 0.17.0 - 2023-01-14
• 0.16.17 - 2023-01-11
• 0.16.16 - 2023-01-08
• 0.16.15 - 2023-01-07
• 0.16.14 - 2023-01-04
• 0.16.13 - 2023-01-02
• 0.16.12 - 2022-12-28
• 0.16.11 - 2022-12-27
• 0.16.10 - 2022-12-19
• 0.16.9 - 2022-12-18
• 0.16.8 - 2022-12-16
• 0.16.7 - 2022-12-14
• 0.16.6 - 2022-12-14
• 0.16.5 - 2022-12-13
• 0.16.4 - 2022-12-10
• 0.16.3 - 2022-12-08
• 0.16.2 - 2022-12-08
• 0.16.1 - 2022-12-07
• 0.16.0 - 2022-12-07
• 0.15.18 - 2022-12-05
• 0.15.17 - 2022-12-04
• 0.15.16 - 2022-11-27
• 0.15.15 - 2022-11-21
• 0.15.14 - 2022-11-15
• 0.15.13 - 2022-11-03
• 0.15.12 - 2022-10-19
• 0.15.11 - 2022-10-14
• 0.15.10 - 2022-09-29
• 0.15.9 - 2022-09-22
• 0.15.8 - 2022-09-18
• 0.15.7 - 2022-09-04
• 0.15.6 - 2022-08-30
• 0.15.5 - 2022-08-17
• 0.15.4 - 2022-08-16
• 0.15.3 - 2022-08-14
• 0.15.2 - 2022-08-12
• 0.15.1 - 2022-08-10
• 0.15.0 - 2022-08-10
• 0.14.54 - 2022-08-08
• 0.14.53 - 2022-08-02
• 0.14.52 - 2022-08-02
• 0.14.51 - 2022-07-28
• 0.14.50 - 2022-07-25
• 0.14.49 - 2022-07-10
• 0.14.48 - 2022-06-30
• 0.14.47 - 2022-06-20
• 0.14.46 - 2022-06-18
• 0.14.45 - 2022-06-17
• 0.14.44 - 2022-06-15
• 0.14.43 - 2022-06-08
• 0.14.42 - 2022-05-29
• 0.14.41 - 2022-05-27
• 0.14.40 - 2022-05-27
• 0.14.39 - 2022-05-11

from esbuild GitHub release notes

Commit messages

Package name: esbuild

• ee646b4 publish 0.17.18 to npm
• ecea1f4 put back comment that was removed
• 9092a1b perf(linker): Fixes brute force chunk cycle detection (#3069)
• dbefad5 fix #3067: crash due to bad subpath import error
• 1365a07 fix #3070: fix detection of non-default re-exports
• 81cb21c add back warning for #466
• 0776a4b publish 0.17.17 to npm
• 8eb364d fix #3058: support `extends` that uses `exports`
• 23cee51 pull out common tsconfig search logic
• ecb3a89 fix #3062: watch mode with `NODE_PATH` edge case
• a4e19a7 fix #3052: replace top-level `&` css with `:scope`
• f0704ba publish 0.17.16 to npm
• 7985bca add "; charset=utf-8" to json and xhtml
• 64edd89 feat: add xhtml to guessed mime types (#3042)
• c7c5a86 fix #3041: allow injecting copied files
• ab15c70 update go 1.20.2 => 1.20.3
• 8b885fd fix #3046: missing combinator bug with nested css
• e9413cc parse decorators in js (but still generate errors)
• 033c5da add decorators to compat table
• 7cd307d print decorators in js printer
• ebc9718 move decorator parser from ts to js
• 27cd4c0 rename: TSDecorators => Decorators
• ef91289 publish 0.17.15 to npm
• f780ad3 fix #3027: live reload SSE when outdir is `/`

Compare

---

**Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.* For more information: 🧐 [View latest project report](https://app.snyk.io/org/retorquere/project/772efd66-515e-4872-a392-94ba14e1eb58?utm_source=github&utm_medium=referral&page=upgrade-pr) 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/retorquere/project/772efd66-515e-4872-a392-94ba14e1eb58/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/retorquere/project/772efd66-515e-4872-a392-94ba14e1eb58/settings/integration?pkg=esbuild&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades)