[Snyk] Upgrade esbuild from 0.17.11 to 0.17.19 #3

darklight147 · 2023-06-28T17:26:34Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.17.11 to 0.17.19.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 8 versions ahead of your current version.
The recommended version was released 2 months ago, on 2023-05-13.

Release notes

Package name: esbuild

0.17.19 - 2023-05-13
- Fix CSS transform bugs with nested selectors that start with a combinator (#3096)
  
  This release fixes several bugs regarding transforming nested CSS into non-nested CSS for older browsers. The bugs were due to lack of test coverage for nested selectors with more than one compound selector where they all start with the same combinator. Here's what some problematic cases look like before and after these fixes:
  
  / Original code */
  .foo {
  > &a,
  > &b {
  color: red;
  }
  }
  .bar {
  > &a,
  + &b {
  color: green;
  }
  }
  
  /* Old output (with --target=chrome90) */
  .foo :is(> .fooa, > .foob) {
  color: red;
  }
  .bar :is(> .bara, + .barb) {
  color: green;
  }
  
  /* New output (with --target=chrome90) */
  .foo > :is(a.foo, b.foo) {
  color: red;
  }
  .bar > a.bar,
  .bar + b.bar {
  color: green;
  }
- Fix bug with TypeScript parsing of instantiation expressions followed by = (#3111)
  
  This release fixes esbuild's TypeScript-to-JavaScript conversion code in the case where a potential instantiation expression is followed immediately by a = token (such that the trailing > becomes a >= token). Previously esbuild considered that to still be an instantiation expression, but the official TypeScript compiler considered it to be a >= operator instead. This release changes esbuild's interpretation to match TypeScript. This edge case currently appears to be problematic for other TypeScript-to-JavaScript converters as well:
  
  Original code TypeScript esbuild 0.17.18 esbuild 0.17.19 Sucrase Babel
  
  x<y>=a<b<c>>() x<y>=a(); x=a(); x<y>=a(); x=a() Invalid left-hand side in assignment expression
- Avoid removing unrecognized directives from the directive prologue when minifying (#3115)
  
  The directive prologue in JavaScript is a sequence of top-level string expressions that come before your code. The only directives that JavaScript engines currently recognize are use strict and sometimes use asm. However, the people behind React have made up their own directive for their own custom dialect of JavaScript. Previously esbuild only preserved the use strict directive when minifying, although you could still write React JavaScript with esbuild using something like --banner:js="'your directive here';". With this release, you can now put arbitrary directives in the entry point and esbuild will preserve them in its minified output:
  
  // Original code
  'use wtf'; console.log(123)
  
  // Old output (with --minify)
  console.log(123);
  
  // New output (with --minify)
  "use wtf";console.log(123);
  
  Note that this means esbuild will no longer remove certain stray top-level strings when minifying. This behavior is an intentional change because these stray top-level strings are actually part of the directive prologue, and could potentially have semantics assigned to them (as was the case with React).
- Improved minification of binary shift operators
  
  With this release, esbuild's minifier will now evaluate the << and >>> operators if the resulting code would be shorter:
  
  // Original code
  console.log(10 << 10, 10 << 20, -123 >>> 5, -123 >>> 10);
  
  // Old output (with --minify)
  console.log(10<<10,10<<20,-123>>>5,-123>>>10);
  
  // New output (with --minify)
  console.log(10240,10<<20,-123>>>5,4194303);
0.17.18 - 2023-04-22
- Fix non-default JSON import error with export {} from (#3070)
  
  This release fixes a bug where esbuild incorrectly identified statements of the form export { default as x } from "y" assert { type: "json" } as a non-default import. The bug did not affect code of the form import { default as x } from ... (only code that used the export keyword).
- Fix a crash with an invalid subpath import (#3067)
  
  Previously esbuild could crash when attempting to generate a friendly error message for an invalid subpath import (i.e. an import starting with #). This happened because esbuild originally only supported the exports field and the code for that error message was not updated when esbuild later added support for the imports field. This crash has been fixed.
0.17.17 - 2023-04-16
- Fix CSS nesting transform for top-level & (#3052)
  
  Previously esbuild could crash with a stack overflow when lowering CSS nesting rules with a top-level &, such as in the code below. This happened because esbuild's CSS nesting transform didn't handle top-level &, causing esbuild to inline the top-level selector into itself. This release handles top-level & by replacing it with the :scope pseudo-class:
  
  / Original code */
  &,
  a {
  .b {
  color: red;
  }
  }
  
  /* New output (with --target=chrome90) */
  :is(:scope, a) .b {
  color: red;
  }
- Support exports in package.json for extends in tsconfig.json (#3058)
  
  TypeScript 5.0 added the ability to use extends in tsconfig.json to reference a path in a package whose package.json file contains an exports map that points to the correct location. This doesn't automatically work in esbuild because tsconfig.json affects esbuild's path resolution, so esbuild's normal path resolution logic doesn't apply.
  
  This release adds support for doing this by adding some additional code that attempts to resolve the extends path using the exports field. The behavior should be similar enough to esbuild's main path resolution logic to work as expected.
  
  Note that esbuild always treats this extends import as a require() import since that's what TypeScript appears to do. Specifically the require condition will be active and the import condition will be inactive.
- Fix watch mode with NODE_PATH (#3062)
  
  Node has a rarely-used feature where you can extend the set of directories that node searches for packages using the NODE_PATH environment variable. While esbuild supports this too, previously a bug prevented esbuild's watch mode from picking up changes to imported files that were contained directly in a NODE_PATH directory. You're supposed to use NODE_PATH for packages, but some people abuse this feature by putting files in that directory instead (e.g. node_modules/some-file.js instead of node_modules/some-pkg/some-file.js). The watch mode bug happens when you do this because esbuild first tries to read some-file.js as a directory and then as a file. Watch mode was incorrectly waiting for some-file.js to become a valid directory. This release fixes this edge case bug by changing watch mode to watch some-file.js as a file when this happens.
0.17.16 - 2023-04-10
- Fix CSS nesting transform for triple-nested rules that start with a combinator (#3046)
  
  This release fixes a bug with esbuild where triple-nested CSS rules that start with a combinator were not transformed correctly for older browsers. Here's an example of such a case before and after this bug fix:
  
  / Original input */
  .a {
  color: red;
  > .b {
  color: green;
  > .c {
  color: blue;
  }
  }
  }
  
  /* Old output (with --target=chrome90) */
  .a {
  color: red;
  }
  .a > .b {
  color: green;
  }
  .a .b > .c {
  color: blue;
  }
  
  /* New output (with --target=chrome90) */
  .a {
  color: red;
  }
  .a > .b {
  color: green;
  }
  .a > .b > .c {
  color: blue;
  }
- Support --inject with a file loaded using the copy loader (#3041)
  
  This release now allows you to use --inject with a file that is loaded using the copy loader. The copy loader copies the imported file to the output directory verbatim and rewrites the path in the import statement to point to the copied output file. When used with --inject, this means the injected file will be copied to the output directory as-is and a bare import statement for that file will be inserted in any non-copy output files that esbuild generates.
  
  Note that since esbuild doesn't parse the contents of copied files, esbuild will not expose any of the export names as usable imports when you do this (in the way that esbuild's --inject feature is typically used). However, any side-effects that the injected file has will still occur.
0.17.15 - 2023-04-01
Read more
0.17.14 - 2023-03-26
Read more
0.17.13 - 2023-03-24
Read more
0.17.12 - 2023-03-17
- Fix a crash when parsing inline TypeScript decorators (#2991)
  
  Previously esbuild's TypeScript parser crashed when parsing TypeScript decorators if the definition of the decorator was inlined into the decorator itself:
```
@(function sealed(constructor: Function) {
  Object.seal(constructor);
  Object.seal(constructor.prototype);
})
class Foo {}
```
  This crash was not noticed earlier because this edge case did not have test coverage. The crash is fixed in this release.
0.17.11 - 2023-03-03
Read more