[Snyk] Upgrade esbuild from 0.19.12 to 0.21.4

[X-oss-byte]

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade esbuild from 0.19.12 to 0.21.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 8 versions ahead of your current version.

• The recommended version was released on 21 days ago.

Release notes

Package name: esbuild

• 0.21.4 - 2024-05-25
  

  • Update support for import assertions and import attributes in node (#3778)

    Import assertions (the assert keyword) have been removed from node starting in v22.0.0. So esbuild will now strip them and generate a warning with --target=node22 or above:

    ▲ [WARNING] The "assert" keyword is not supported in the configured target environment ("node22") [assert-to-with]

    example.mjs:1:40:
      1 │ import json from "esbuild/package.json" assert { type: "json" }
        │                                         ~~~~~~
        ╵                                         with
    

    Did you mean to use "with" instead of "assert"?


    Import attributes (the with keyword) have been backported to node 18 starting in v18.20.0. So esbuild will no longer strip them with --target=node18.N if N is 20 or greater.

  • Fix for await transform when a label is present

    This release fixes a bug where the for await transform, which wraps the loop in a try statement, previously failed to also move the loop's label into the try statement. This bug only affects code that uses both of these features in combination. Here's an example of some affected code:

    // Original code
    async function test() {
    outer: for await (const x of [Promise.resolve([0, 1])]) {
    for (const y of x) if (y) break outer
    throw 'fail'
    }
    }

    // Old output (with --target=es6)
    function test() {
    return __async(this, null, function* () {
    outer: try {
    for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
    const x = temp.value;
    for (const y of x) if (y) break outer;
    throw "fail";
    }
    } catch (temp) {
    error = [temp];
    } finally {
    try {
    more && (temp = iter.return) && (yield temp.call(iter));
    } finally {
    if (error)
    throw error[0];
    }
    }
    });
    }

    // New output (with --target=es6)
    function test() {
    return __async(this, null, function* () {
    try {
    outer: for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
    const x = temp.value;
    for (const y of x) if (y) break outer;
    throw "fail";
    }
    } catch (temp) {
    error = [temp];
    } finally {
    try {
    more && (temp = iter.return) && (yield temp.call(iter));
    } finally {
    if (error)
    throw error[0];
    }
    }
    });
    }

  • Do additional constant folding after cross-module enum inlining (#3416, #3425)

    This release adds a few more cases where esbuild does constant folding after cross-module enum inlining.

    // Original code: enum.ts
    export enum Platform {
    WINDOWS = 'windows',
    MACOS = 'macos',
    LINUX = 'linux',
    }

    // Original code: main.ts
    import { Platform } from './enum';
    declare const PLATFORM: string;
    export function logPlatform() {
    if (PLATFORM == Platform.WINDOWS) console.log('Windows');
    else if (PLATFORM == Platform.MACOS) console.log('macOS');
    else if (PLATFORM == Platform.LINUX) console.log('Linux');
    else console.log('Other');
    }

    // Old output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
    function n(){"windows"=="macos"?console.log("Windows"):"macos"=="macos"?console.log("macOS"):"linux"=="macos"?console.log("Linux"):console.log("Other")}export{n as logPlatform};

    // New output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
    function n(){console.log("macOS")}export{n as logPlatform};

  • Pass import attributes to on-resolve plugins (#3384, #3639, #3646)

    With this release, on-resolve plugins will now have access to the import attributes on the import via the with property of the arguments object. This mirrors the with property of the arguments object that's already passed to on-load plugins. In addition, you can now pass with to the resolve() API call which will then forward that value on to all relevant plugins. Here's an example of a plugin that can now be written:

    const examplePlugin = {
    name: 'Example plugin',
    setup(build) {
    build.onResolve({ filter: /.*/ }, args => {
    if (args.with.type === 'external')
    return { external: true }
    })
    }
    }

    require('esbuild').build({
    stdin: {
    contents: </span> <span class="pl-s"> import foo from "./foo" with { type: "external" }</span> <span class="pl-s"> foo()</span> <span class="pl-s"> ,
    },
    bundle: true,
    format: 'esm',
    write: false,
    plugins: [examplePlugin],
    }).then(result => {
    console.log(result.outputFiles[0].text)
    })

  • Formatting support for the @ position-try rule (#3773)

    Chrome shipped this new CSS at-rule in version 125 as part of the CSS anchor positioning API. With this release, esbuild now knows to expect a declaration list inside of the @ position-try body block and will format it appropriately.

  • Always allow internal string import and export aliases (#3343)

    Import and export names can be string literals in ES2022+. Previously esbuild forbid any usage of these aliases when the target was below ES2022. Starting with this release, esbuild will only forbid such usage when the alias would otherwise end up in output as a string literal. String literal aliases that are only used internally in the bundle and are "compiled away" are no longer errors. This makes it possible to use string literal aliases with esbuild's inject feature even when the target is earlier than ES2022.

• 0.21.3 - 2024-05-15
  

  • Implement the decorator metadata proposal (#3760)

    This release implements the decorator metadata proposal, which is a sub-proposal of the decorators proposal. Microsoft shipped the decorators proposal in TypeScript 5.0 and the decorator metadata proposal in TypeScript 5.2, so it's important that esbuild also supports both of these features. Here's a quick example:

    // Shim the "Symbol.metadata" symbol
    Symbol.metadata ??= Symbol('Symbol.metadata')

    const track = (_, context) => {
    (context.metadata.names ||= []).push(context.name)
    }

    class Foo {
    @track foo = 1
    @track bar = 2
    }

    // Prints ["foo", "bar"]
    console.log(Foo[Symbol.metadata].names)

    ⚠️ WARNING ⚠️

    This proposal has been marked as "stage 3" which means "recommended for implementation". However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorator metadata may need to be updated as the feature continues to evolve. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Fix bundled decorators in derived classes (#3768)

    In certain cases, bundling code that uses decorators in a derived class with a class body that references its own class name could previously generate code that crashes at run-time due to an incorrect variable name. This problem has been fixed. Here is an example of code that was compiled incorrectly before this fix:

    class Foo extends Object {
      @(x => x) foo() {
        return Foo
      }
    }
    console.log(new Foo().foo())

  • Fix tsconfig.json files inside symlinked directories (#3767)

    This release fixes an issue with a scenario involving a tsconfig.json file that extends another file from within a symlinked directory that uses the paths feature. In that case, the implicit baseURL value should be based on the real path (i.e. after expanding all symbolic links) instead of the original path. This was already done for other files that esbuild resolves but was not yet done for tsconfig.json because it's special-cased (the regular path resolver can't be used because the information inside tsconfig.json is involved in path resolution). Note that this fix no longer applies if the --preserve-symlinks setting is enabled.

• 0.21.2 - 2024-05-12
  

  • Correct this in field and accessor decorators (#3761)

    This release changes the value of this in initializers for class field and accessor decorators from the module-level this value to the appropriate this value for the decorated element (either the class or the instance). It was previously incorrect due to lack of test coverage. Here's an example of a decorator that doesn't work without this change:

    const dec = () => function() { this.bar = true }
    class Foo { @dec static foo }
    console.log(Foo.bar) // Should be "true"

  • Allow es2023 as a target environment (#3762)

    TypeScript recently added es2023 as a compilation target, so esbuild now supports this too. There is no difference between a target of es2022 and es2023 as far as esbuild is concerned since the 2023 edition of JavaScript doesn't introduce any new syntax features.

• 0.21.1 - 2024-05-07
  

  • Fix a regression with --keep-names (#3756)

    The previous release introduced a regression with the --keep-names setting and object literals with get/set accessor methods, in which case the generated code contained syntax errors. This release fixes the regression:

    // Original code
    x = { get y() {} }

    // Output from version 0.21.0 (with --keep-names)
    x = { get y: /* @ PURE */ __name(function() {
    }, "y") };

    // Output from this version (with --keep-names)
    x = { get y() {
    } };

• 0.21.0 - 2024-05-07
  

  This release doesn't contain any deliberately-breaking changes. However, it contains a very complex new feature and while all of esbuild's tests pass, I would not be surprised if an important edge case turns out to be broken. So I'm releasing this as a breaking change release to avoid causing any trouble. As usual, make sure to test your code when you upgrade.

  • Implement the JavaScript decorators proposal (#104)

    With this release, esbuild now contains an implementation of the upcoming JavaScript decorators proposal. This is the same feature that shipped in TypeScript 5.0 and has been highly-requested on esbuild's issue tracker. You can read more about them in that blog post and in this other (now slightly outdated) extensive blog post here: https://2ality.com/2022/10/javascript-decorators.html. Here's a quick example:

    const log = (fn, context) => function() {
    console.log(before <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">context</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>)
    const it = fn.apply(this, arguments)
    console.log(after <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">context</span><span class="pl-kos">.</span><span class="pl-c1">name</span><span class="pl-kos">}</span></span>)
    return it
    }

    class Foo {
    @log static foo() {
    console.log('in foo')
    }
    }

    // Logs "before foo", "in foo", "after foo"
    Foo.foo()

    Note that this feature is different than the existing "TypeScript experimental decorators" feature that esbuild already implements. It uses similar syntax but behaves very differently, and the two are not compatible (although it's sometimes possible to write decorators that work with both). TypeScript experimental decorators will still be supported by esbuild going forward as they have been around for a long time, are very widely used, and let you do certain things that are not possible with JavaScript decorators (such as decorating function parameters). By default esbuild will parse and transform JavaScript decorators, but you can tell esbuild to parse and transform TypeScript experimental decorators instead by setting "experimentalDecorators": true in your tsconfig.json file.

    Probably at least half of the work for this feature went into creating a test suite that exercises many of the proposal's edge cases: https://github.com/evanw/decorator-tests. It has given me a reasonable level of confidence that esbuild's initial implementation is acceptable. However, I don't have access to a significant sample of real code that uses JavaScript decorators. If you're currently using JavaScript decorators in a real code base, please try out esbuild's implementation and let me know if anything seems off.

    ⚠️ WARNING ⚠️

    This proposal has been in the works for a very long time (work began around 10 years ago in 2014) and it is finally getting close to becoming part of the JavaScript language. However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorators may need to be updated as the feature continues to evolve. The decorators proposal is pretty close to its final form but it can and likely will undergo some small behavioral adjustments before it ends up becoming a part of the standard. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Optimize the generated code for private methods

    Previously when lowering private methods for old browsers, esbuild would generate one WeakSet for each private method. This mirrors similar logic for generating one WeakSet for each private field. Using a separate WeakMap for private fields is necessary as their assignment can be observable:

    let it
    class Bar {
      constructor() {
        it = this
      }
    }
    class Foo extends Bar {
      #x = 1
      #y = null.foo
      static check() {
        console.log(#x in it, #y in it)
      }
    }
    try { new Foo } catch {}
    Foo.check()

    This prints true false because this partially-initialized instance has #x but not #y. In other words, it's not true that all class instances will always have all of their private fields. However, the assignment of private methods to a class instance is not observable. In other words, it's true that all class instances will always have all of their private methods. This means esbuild can lower private methods into code where all methods share a single WeakSet, which is smaller, faster, and uses less memory. Other JavaScript processing tools such as the TypeScript compiler already make this optimization. Here's what this change looks like:

    // Original code
    class Foo {
    #x() { return this.#x() }
    #y() { return this.#y() }
    #z() { return this.#z() }
    }

    // Old output (--supported:class-private-method=false)
    var _x, x_fn, _y, y_fn, _z, z_fn;
    class Foo {
    constructor() {
    __privateAdd(this, _x);
    __privateAdd(this, _y);
    __privateAdd(this, _z);
    }
    }
    _x = new WeakSet();
    x_fn = function() {
    return __privateMethod(this, _x, x_fn).call(this);
    };
    _y = new WeakSet();
    y_fn = function() {
    return __privateMethod(this, _y, y_fn).call(this);
    };
    _z = new WeakSet();
    z_fn = function() {
    return __privateMethod(this, _z, z_fn).call(this);
    };

    // New output (--supported:class-private-method=false)
    var _Foo_instances, x_fn, y_fn, z_fn;
    class Foo {
    constructor() {
    __privateAdd(this, _Foo_instances);
    }
    }
    _Foo_instances = new WeakSet();
    x_fn = function() {
    return __privateMethod(this, _Foo_instances, x_fn).call(this);
    };
    y_fn = function() {
    return __privateMethod(this, _Foo_instances, y_fn).call(this);
    };
    z_fn = function() {
    return __privateMethod(this, _Foo_instances, z_fn).call(this);
    };

  • Fix an obscure bug with lowering class members with computed property keys

    When class members that use newer syntax features are transformed for older target environments, they sometimes need to be relocated. However, care must be taken to not reorder any side effects caused by computed property keys. For example, the following code must evaluate a() then b() then c():

    class Foo {
      [a()]() {}
      [b()];
      static { c() }
    }

    Previously esbuild did this by shifting the computed property key forward to the next spot in the evaluation order. Classes evaluate all computed keys first and then all static class elements, so if the last computed key needs to be shifted, esbuild previously inserted a static block at start of the class body, ensuring it came before all other static class elements:

    var _a;
    class Foo {
      constructor() {
        __publicField(this, _a);
      }
      static {
        _a = b();
      }
      [a()]() {
      }
      static {
        c();
      }
    }

    However, this could cause esbuild to accidentally generate a syntax error if the computed property key contains code that isn't allowed in a static block, such as an await expression. With this release, esbuild fixes this problem by shifting the computed property key backward to the previous spot in the evaluation order instead, which may push it into the extends clause or even before the class itself:

    a() {
    }
    static {
    c();
    }
    }

    // New output (with --supported:class-field=false)
    var _a, _b;
    class Foo {
    constructor() {
    __publicField(this, _a);
    }
    (_b = a(), _a = await b(), _b) {
    }
    static {
    c();
    }
    }">

    // Original code
    
    class Foo {
    
    [a()]() {}
    
    [await b()];
    
    static { c() }
    
    }
    
    // Old output (with --supported:class-field=false)
    
    var _a;
    
    class Foo {
    
    constructor() {
    
    __publicField(this, _a);
    
    <span c...

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2d4f3de

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.