[Snyk] Upgrade esbuild from 0.14.48 to 0.15.7 #6

MarcelRaschke · 2022-09-30T10:51:28Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.14.48 to 0.15.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 14 versions ahead of your current version.
The recommended version was released a month ago, on 2022-09-04.

Release notes

Package name: esbuild

0.15.7 - 2022-09-04
- Add --watch=forever to allow esbuild to never terminate (#1511, #1885)
  
  Currently using esbuild's watch mode via --watch from the CLI will stop watching if stdin is closed. The rationale is that stdin is automatically closed by the OS when the parent process exits, so stopping watch mode when stdin is closed ensures that esbuild's watch mode doesn't keep running forever after the parent process has been closed. For example, it would be bad if you wrote a shell script that did esbuild --watch & to run esbuild's watch mode in the background, and every time you run the script it creates a new esbuild process that runs forever.
  
  However, there are cases when it makes sense for esbuild's watch mode to never exit. One such case is within a short-lived VM where the lifetime of all processes inside the VM is expected to be the lifetime of the VM. Previously you could easily do this by piping the output of a long-lived command into esbuild's stdin such as sleep 999999999 | esbuild --watch &. However, this possibility often doesn't occur to people, and it also doesn't work on Windows. People also sometimes attempt to keep esbuild open by piping an infinite stream of data to esbuild such as with esbuild --watch </dev/zero & which causes esbuild to spin at 100% CPU. So with this release, esbuild now has a --watch=forever flag that will not stop watch mode when stdin is closed.
- Work around PATH without node in install script (#2519)
  
  Some people install esbuild's npm package in an environment without the node command in their PATH. This fails on Windows because esbuild's install script runs the esbuild command before exiting as a sanity check, and on Windows the esbuild command has to be a JavaScript file because of some internal details about how npm handles the bin folder (specifically the esbuild command lacks the .exe extension, which is required on Windows). This release attempts to work around this problem by using process.execPath instead of "node" as the command for running node. In theory this means the installer can now still function on Windows if something is wrong with PATH.
0.15.6 - 2022-08-30
- Lower for await loops (#1930)
  
  This release lowers for await loops to the equivalent for loop containing await when esbuild is configured such that for await loops are unsupported. This transform still requires at least generator functions to be supported since esbuild's lowering of await currently relies on generators. This new transformation is mostly modeled after what the TypeScript compiler does. Here's an example:
```
async function f() {
  for await (let x of y)
    x()
}
```
  The code above will now become the following code with --target=es2017 (omitting the code for the __forAwait helper function):
```
async function f() {
  try {
    for (var iter = __forAwait(y), more, temp, error; more = !(temp = await iter.next()).done; more = false) {
      let x = temp.value;
      x();
    }
  } catch (temp) {
    error = [temp];
  } finally {
    try {
      more && (temp = iter.return) && await temp.call(iter);
    } finally {
      if (error)
        throw error[0];
    }
  }
}
```
- Automatically fix invalid supported configurations (#2497)
  
  The --target= setting lets you tell esbuild to target a specific version of one or more JavaScript runtimes such as chrome80,node14 and esbuild will restrict its output to only those features supported by all targeted JavaScript runtimes. More recently, esbuild introduced the --supported: setting that lets you override which features are supported on a per-feature basis. However, this now lets you configure nonsensical things such as --supported:async-await=false --supported:async-generator=true. Previously doing this could result in esbuild building successfully but producing invalid output.
  
  Starting with this release, esbuild will now attempt to automatically fix nonsensical feature override configurations by introducing more overrides until the configuration makes sense. So now the configuration from previous example will be changed such that async-await=false implies async-generator=false. The full list of implications that were introduced is below:
  - async-await=false implies:
    - async-generator=false
    - for-await=false
    - top-level-await=false
  - generator=false implies:
    - async-generator=false
  - object-accessors=false implies:
    - class-private-accessor=false
    - class-private-static-accessor=false
  - class-field=false implies:
    - class-private-field=false
  - class-static-field=false implies:
    - class-private-static-field=false
  - class=false implies:
    - class-field=false
    - class-private-accessor=false
    - class-private-brand-check=false
    - class-private-field=false
    - class-private-method=false
    - class-private-static-accessor=false
    - class-private-static-field=false
    - class-private-static-method=false
    - class-static-blocks=false
    - class-static-field=false
- Implement a small minification improvement (#2496)
  
  Some people write code that contains a label with an immediate break such as x: break x. Previously this code was not removed during minification but it will now be removed during minification starting with this release.
- Fix installing esbuild via Yarn with enableScripts: false configured (#2457)
  
  If esbuild is installed with Yarn with the enableScripts: false setting configured, then Yarn will not "unplug" the esbuild package (i.e. it will keep the entire package inside a .zip file). This messes with esbuild's library code that extracts the platform-specific binary executable because that code copies the binary executable into the esbuild package directory, and Yarn's .zip file system shim doesn't let you write to a directory inside of a .zip file. This release fixes this problem by writing to the node_modules/.cache/esbuild directory instead in this case. So you should now be able to use esbuild with Yarn when enableScripts: false is configured.
  
  This fix was contributed by @ jonaskuske.
0.15.5 - 2022-08-17
- Fix issues with Yarn PnP and Yarn's workspaces feature (#2476)
  
  This release makes sure esbuild works with a Yarn feature called workspaces. Previously esbuild wasn't tested in this scenario, but this scenario now has test coverage. Getting this to work involved further tweaks to esbuild's custom code for what happens after Yarn PnP's path resolution algorithm runs, which is not currently covered by Yarn's PnP specification. These tweaks also fix exports map resolution with Yarn PnP for non-empty subpaths, which wasn't previously working.
0.15.4 - 2022-08-16
- Consider TypeScript import assignments to be side-effect free (#2468)
  
  TypeScript has a legacy import syntax for working with TypeScript namespaces that looks like this:
  
  import { someNamespace } from './some-file'
  import bar = someNamespace.foo;
  
  // some-file.ts
  export namespace someNamespace {
  export let foo = 123
  }
  
  Since esbuild converts TypeScript into JavaScript one file at a time, it doesn't know if bar is supposed to be a value or a type (or both, which TypeScript actually allows in this case). This is problematic because values are supposed to be kept during the conversion but types are supposed to be removed during the conversion. Currently esbuild keeps bar in the output, which is done because someNamespace.foo is a property access and property accesses run code that could potentially have a side effect (although there is no side effect in this case).
  
  With this release, esbuild will now consider someNamespace.foo to have no side effects. This means bar will now be removed when bundling and when tree shaking is enabled. Note that it will still not be removed when tree shaking is disabled. This is because in this mode, esbuild supports adding additional code to the end of the generated output that's in the same scope as the module. That code could potentially make use of bar, so it would be incorrect to remove it. If you want bar to be removed, you'll have to enable tree shaking (which tells esbuild that nothing else depends on the unexported top-level symbols in the generated output).
- Change the order of the banner and the "use strict" directive (#2467)
  
  Previously the top of the file contained the following things in order:
  1. The hashbang comment (see below) from the source code, if present
  2. The "use strict" directive from the source code, if present
  3. The content of esbuild's banner API option, if specified
  This was problematic for people that used the banner API option to insert the hashbang comment instead of using esbuild's hashbang comment preservation feature. So with this release, the order has now been changed to:
  1. The hashbang comment (see below) from the source code, if present
  2. The content of esbuild's banner API option, if specified
  3. The "use strict" directive from the source code, if present
  I'm considering this change to be a bug fix instead of a breaking change because esbuild's documentation states that the banner API option can be used to "insert an arbitrary string at the beginning of generated JavaScript files". While this isn't technically true because esbuild may still insert the original hashbang comment before the banner, it's at least more correct now because the banner will now come before the "use strict" directive.
  
  For context: JavaScript files recently allowed using a hashbang comment, which starts with #! and which must start at the very first character of the file. It allows Unix systems to execute the file directly as a script without needing to prefix it by the node command. This comment typically has the value #!/usr/bin/env node. Hashbang comments will be a part of ES2023 when it's released next year.
- Fix exports maps with Yarn PnP path resolution (#2473)
  
  The Yarn PnP specification says that to resolve a package path, you first resolve it to the absolute path of a directory, and then you run node's module resolution algorithm on it. Previously esbuild followed this part of the specification. However, doing this means that exports in package.json is not respected because node's module resolution algorithm doesn't interpret exports for absolute paths. So with this release, esbuild will now use a modified algorithm that deviates from both specifications but that should hopefully behave more similar to what Yarn actually does: node's module resolution algorithm is run with the original import path but starting from the directory returned by Yarn PnP.
0.15.3 - 2022-08-14
- Change the Yarn PnP manifest to a singleton (#2463)
  
  Previously esbuild searched for the Yarn PnP manifest in the parent directories of each file. But with Yarn's enableGlobalCache setting it's possible to configure Yarn PnP's implementation to reach outside of the directory subtree containing the Yarn PnP manifest. This was causing esbuild to fail to bundle projects with the enableGlobalCache setting enabled.
  
  To handle this case, esbuild will now only search for the Yarn PnP manifest in the current working directory of the esbuild process. If you're using esbuild's CLI, this means you will now have to cd into the appropriate directory first. If you're using esbuild's API, you can override esbuild's value for the current working directory with the absWorkingDir API option.
- Fix Yarn PnP resolution failures due to backslashes in paths on Windows (#2462)
  
  Previously dependencies of a Yarn PnP virtual dependency failed to resolve on Windows. This was because Windows uses \ instead of / as a path separator, and the path manipulation algorithms used for Yarn PnP expected /. This release converts \ into / in Windows paths, which fixes this issue.
- Fix sideEffects patterns containing slashes on Windows (#2465)
  
  The sideEffects field in package.json lets you specify an array of patterns to mark which files have side effects (which causes all other files to be considered to not have side effects by exclusion). That looks like this:
```
"sideEffects": [
  "**/index.js",
  "**/index.prod.js"
]
```
  However, the presence of the / character in the pattern meant that the pattern failed to match Windows-style paths, which broke sideEffects on Windows in this case. This release fixes this problem by adding additional code to handle Windows-style paths.
0.15.2 - 2022-08-12
Read more
0.15.1 - 2022-08-10
Read more
0.15.0 - 2022-08-10
Read more
0.14.54 - 2022-08-08
Read more
0.14.53 - 2022-08-02
This release fixes a minor issue with the previous release: I had to rename the package esbuild-linux-loong64 to @ esbuild/linux-loong64 in the contributed PR because someone registered the package name before I could claim it, and I missed a spot. Hopefully everything is working after this release. I plan to change all platform-specific package names to use the @ esbuild/ scope at some point to avoid this problem in the future.
0.14.52 - 2022-08-02
0.14.51 - 2022-07-28
0.14.50 - 2022-07-25
0.14.49 - 2022-07-10
0.14.48 - 2022-06-30