This release upgrades dependencies to address CVE-2023-43646 where a large function name can cause "catastrophic backtracking" (aka ReDOS attack) which can cause the test suite to hang.
Fix printing of JavaScript decorators in tricky cases (#3396)
This release fixes some bugs where esbuild's pretty-printing of JavaScript decorators could incorrectly produced code with a syntax error. The problem happened because esbuild sometimes substitutes identifiers for other expressions in the pretty-printer itself, but the decision about whether to wrap the expression or not didn't account for this. Here are some examples:
// Original code
import { constant } from './constants.js'
import { imported } from 'external'
import { undef } from './empty.js'
class Foo {
@constant()
@imported()
@undef()
foo
}
// Old output (with --bundle --format=cjs --packages=external --minify-syntax)
var import_external = require("external");
var Foo = class {
@123()
@(0, import_external.imported)()
@(void 0)()
foo;
};
// New output (with --bundle --format=cjs --packages=external --minify-syntax)
var import_external = require("external");
var Foo = class {
@(123())
@((0, import_external.imported)())
@((void 0)())
foo;
};
Allow pre-release versions to be passed to target (#3388)
People want to be able to pass version numbers for unreleased versions of node (which have extra stuff after the version numbers) to esbuild's target setting and have esbuild do something reasonable with them. These version strings are of course not present in esbuild's internal feature compatibility table because an unreleased version has not been released yet (by definition). With this release, esbuild will now attempt to accept these version strings passed to target and do something reasonable with them.
v0.19.3
Fix list-style-type with the local-css loader (#3325)
The local-css loader incorrectly treated all identifiers provided to list-style-type as a custom local identifier. That included identifiers such as none which have special meaning in CSS, and which should not be treated as custom local identifiers. This release fixes this bug:
This changelog documents all esbuild versions published in the year 2021 (versions 0.8.29 through 0.14.10).
0.14.10
Enable tree shaking of classes with lowered static fields (#175)
If the configured target environment doesn't support static class fields, they are converted into a call to esbuild's __publicField function instead. However, esbuild's tree-shaking pass treated this call as a side effect, which meant that all classes with static fields were ineligible for tree shaking. This release fixes the problem by explicitly ignoring calls to the __publicField function during tree shaking side-effect determination. Tree shaking is now enabled for these classes:
// Original code
class Foo { static foo = 'foo' }
class Bar { static bar = 'bar' }
new Bar()
// Old output (with --tree-shaking=true --target=es6)
class Foo {
}
__publicField(Foo, "foo", "foo");
class Bar {
}
__publicField(Bar, "bar", "bar");
new Bar();
// New output (with --tree-shaking=true --target=es6)
class Bar {
}
__publicField(Bar, "bar", "bar");
new Bar();
Treat --define:foo=undefined as an undefined literal instead of an identifier (#1407)
References to the global variable undefined are automatically replaced with the literal value for undefined, which appears as void 0 when printed. This allows for additional optimizations such as collapsing undefined ?? bar into just bar. However, this substitution was not done for values specified via --define:. As a result, esbuild could potentially miss out on certain optimizations in these cases. With this release, it's now possible to use --define: to substitute something with an undefined literal:
// Original code
let win = typeof window !== 'undefined' ? window : {}
// Old output (with --define:window=undefined --minify)
let win=typeof undefined!="undefined"?undefined:{};
// New output (with --define:window=undefined --minify)
let win={};
Passing this flag causes all debugger; statements to be removed from the output. This is similar to the drop_debugger: true flag available in the popular UglifyJS and Terser JavaScript minifiers.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the dev-deps group with 10 updates:
0.1.5
0.1.8
4.3.4
4.3.10
4.2.18
4.3.6
0.12.9
0.19.4
2.23.4
2.28.1
8.0.0
8.0.3
3.1.0
3.2.0
1.2.1
1.2.2
2.3.0
2.6.2
17.0.1
17.7.2
Updates
@types/resize-observer-browser
from 0.1.5 to 0.1.8Commits
Updates
chai
from 4.3.4 to 4.3.10Release notes
Sourced from chai's releases.
... (truncated)
Commits
744a16e
4.3.100ccd823
upgrade all dependencies (#1540)923d0a4
4.3.91a0f887
makea141e57
upgrade depsd9ff2c6
4.3.88d3205b
buildb351dc0
Fix: update exports.version to current version (#1534)1a8247f
Update CONTRIBUTING.md (#1521)3a8c49a
docs: specify return type of objDisplay (#1490)Maintainer changes
This version was pushed to npm by keithamus, a new releaser for chai since your current version.
Updates
@types/chai
from 4.2.18 to 4.3.6Commits
Updates
esbuild
from 0.12.9 to 0.19.4Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
a75b16e
publish 0.19.4 to npm65a4439
fix #3396: js decorator pretty-printing bugs6ad177c
add some js decorator printing tests0e1696f
ignoreTP
in data from caniuse-litee7bf735
fix #3390: allowusing
disposable functions (#3391)24bea0e
updatecompat-table
(note: regexp unicode 15.1)ea9c644
fix #3388: do something with pre-release versions673ad10
publish 0.19.3 to npm6402f11
basic support for parsing import attributes7ece556
fix #3322: avoid temporaries before"use strict"
Updates
eslint-plugin-import
from 2.23.4 to 2.28.1Release notes
Sourced from eslint-plugin-import's releases.
Changelog
Sourced from eslint-plugin-import's changelog.
... (truncated)
Commits
cd95728
Bump to 2.28.10847443
Revert 1fa2971 (breaking group change inorder
)e9de30a
[resolvers/webpack] v0.13.6cd1dff7
Revert "[resolvers/webpack] [refactor] replacelodash/isEqual
usage with `d...da71746
[resolvers/webpack] v0.13.522a0802
[resolvers/webpack] [deps] updateresolve
1e81734
[resolvers/webpack] [refactor] replacelodash/isEqual
usage withdeep-equal
2c18c29
[resolvers/webpack] [refactor] removelodash/get
usageb9b9c86
[resolvers/webpack] [refactor] switch to a maintained array.prototype.find pa...2e7612f
[Dev Deps] pinjackspeak
since 2.1.2+ depends on npm aliases, which kill th...Updates
husky
from 8.0.0 to 8.0.3Release notes
Sourced from husky's releases.
Commits
3c0e08d
8.0.31ed3f9a
fix: change message500d450
fix: add git not installed error message (#1208)2945907
chore(deps): bump minimatch from 3.0.4 to 3.1.2 (#1229)9f6dac4
chore: remove stale botf6c2c06
chore: update package-lock.jsonf862dc2
chore: update devDependencies9efb720
8.0.2573de60
docs: remove deprecated npm set-script3db28d4
chore: increase daysUntilStaleUpdates
karma-chrome-launcher
from 3.1.0 to 3.2.0Release notes
Sourced from karma-chrome-launcher's releases.
Changelog
Sourced from karma-chrome-launcher's changelog.
Commits
e92a2b4
chore(release): 3.2.0 [skip ci]12a73db
feat: add process.env.ProgramW6432 as root location for binariesd193ef3
build(deps): bump semver-regex from 3.1.3 to 3.1.4d1c05e3
build(deps): bump engine.io and karma3f0cd99
build(deps): bump qs and body-parser5f3cbb1
chore(release): 3.1.1 [skip ci]83fdc3c
fix: artificially trigger a release4dc0bd2
docs: fix Karma's url5400b23
docs: explain testing, linting and commit lintingd2ad8c6
build: disallowchore
type commitsUpdates
live-server
from 1.2.1 to 1.2.2Commits
Updates
tslib
from 2.3.0 to 2.6.2Release notes
Sourced from tslib's releases.
... (truncated)
Commits
49ac8dc
2.6.23071b51
Merge pull request #217 from microsoft/bug/fix-modules-condition-types-path743045e
Fix path to exports["module"]["types"]41c120d
2.6.1be55012
Merge pull request #216 from microsoft/bug/2058d4c782
Undo format on save74f91b3
Stop using es6 syntax in the es6 file1d606f6
Allow functions as values in __addDisposableResource (#215)7c7f3ae
2.6.0f641b05
Add helpers forusing
andawait using
(#213)Updates
yargs
from 17.0.1 to 17.7.2Changelog
Sourced from yargs's changelog.
... (truncated)
Commits
3566b84
chore(main): release 17.7.2 (#2323)7f42848
fix: do not crash completion when having negated options (#2322)2b6ba31
chore(main): release 17.7.1 (#2304)9aa2490
fix: address display bug with default sub-commands (#2303)663c1b6
chore(main): release 17.7.0 (#2285)4cb41dc
feat: convert line break to whitespace for the description of the option (#2271)7dc1086
test: mock additional hasColors method introduced in Node 16 (#2297)f37ee6f
fix: copy the description of the option to its alias in completion (#2269)1fd530a
chore: add en strings for unknown command (#2262)2c144c4
feat: add method to hide option extras (#2156)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show