[Snyk] Upgrade esbuild from 0.14.54 to 0.17.10

[sathishcyberintelsysnew]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade esbuild from 0.14.54 to 0.17.10.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 48 versions ahead of your current version.
• The recommended version was released 21 days ago, on 2023-02-20.

Release notes

Package name: esbuild

• 0.17.10 - 2023-02-20
  

  • Update esbuild's handling of CSS nesting to match the latest specification changes (#1945)

    The syntax for the upcoming CSS nesting feature has recently changed. The @ nest prefix that was previously required in some cases is now gone, and nested rules no longer have to start with & (as long as they don't start with an identifier or function token).

    This release updates esbuild's pass-through handling of CSS nesting syntax to match the latest specification changes. So you can now use esbuild to bundle CSS containing nested rules and try them out in a browser that supports CSS nesting (which includes nightly builds of both Chrome and Safari).

    However, I'm not implementing lowering of nested CSS to non-nested CSS for older browsers yet. While the syntax has been decided, the semantics are still in flux. In particular, there is still some debate about changing the fundamental way that CSS nesting works. For example, you might think that the following CSS is equivalent to a .outer .inner button { ... } rule:

    .inner button {
      .outer & {
        color: red;
      }
    }

    But instead it's actually equivalent to a .outer :is(.inner button) { ... } rule which unintuitively also matches the following DOM structure:

    <div class="inner">
      <div class="outer">
        <button></button>
      </div>
    </div>

    The :is() behavior is preferred by browser implementers because it's more memory-efficient, but the straightforward translation into a .outer .inner button { ... } rule is preferred by developers used to the existing CSS preprocessing ecosystem (e.g. SASS). It seems premature to commit esbuild to specific semantics for this syntax at this time given the ongoing debate.

  • Fix cross-file CSS rule deduplication involving url() tokens (#2936)

    Previously cross-file CSS rule deduplication didn't handle url() tokens correctly. These tokens contain references to import paths which may be internal (i.e. in the bundle) or external (i.e. not in the bundle). When comparing two url() tokens for equality, the underlying import paths should be compared instead of their references. This release of esbuild fixes url() token comparisons. One side effect is that @ font-face rules should now be deduplicated correctly across files:

    http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}@ font-face{src:url(http://example.com/font.ttf)}

    /* New output (with --bundle --minify) /
    @ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}">

    / Original code */
    
    @ import "data:text/css, </span>
    
      @ import 'http://example.com/style.css'; </span>
    
      @ font-face { src: url(http://example.com/font.ttf) }";
    
    @ import "data:text/css, </span>
    
      @ font-face { src: url(http://example.com/font.ttf) }";
    
    /* Old output (with --bundle --minify) */
    
    @ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}@ font-face{src:url(http://example.com/font.ttf)}
    /* New output (with --bundle --minify) */
    
    @ import"http://example.com/style.css";@ font-face{src:url(http://example.com/font.ttf)}

• 0.17.9 - 2023-02-19
  

  • Parse rest bindings in TypeScript types (#2937)

    Previously esbuild was unable to parse the following valid TypeScript code:

    let tuple: (...[e1, e2, ...es]: any) => any

    This release includes support for parsing code like this.

  • Fix TypeScript code translation for certain computed declare class fields (#2914)

    In TypeScript, the key of a computed declare class field should only be preserved if there are no decorators for that field. Previously esbuild always preserved the key, but esbuild will now remove the key to match the output of the TypeScript compiler:

    // Original code
    declare function dec(a: any, b: any): any
    declare const removeMe: unique symbol
    declare const keepMe: unique symbol
    class X {
    declare [removeMe]: any
    @dec declare [keepMe]: any
    }

    // Old output
    var _a;
    class X {
    }
    removeMe, _a = keepMe;
    __decorateClass([
    dec
    ], X.prototype, _a, 2);

    // New output
    var _a;
    class X {
    }
    _a = keepMe;
    __decorateClass([
    dec
    ], X.prototype, _a, 2);

  • Fix a crash with path resolution error generation (#2913)

    In certain situations, a module containing an invalid import path could previously cause esbuild to crash when it attempts to generate a more helpful error message. This crash has been fixed.

• 0.17.8 - 2023-02-13
  

  • Fix a minification bug with non-ASCII identifiers (#2910)

    This release fixes a bug with esbuild where non-ASCII identifiers followed by a keyword were incorrectly not separated by a space. This bug affected both the in and instanceof keywords. Here's an example of the fix:

    // Original code
    π in a

    // Old output (with --minify --charset=utf8)
    πin a;

    // New output (with --minify --charset=utf8)
    π in a;

  • Fix a regression with esbuild's WebAssembly API in version 0.17.6 (#2911)

    Version 0.17.6 of esbuild updated the Go toolchain to version 1.20.0. This had the unfortunate side effect of increasing the amount of stack space that esbuild uses (presumably due to some changes to Go's WebAssembly implementation) which could cause esbuild's WebAssembly-based API to crash with a stack overflow in cases where it previously didn't crash. One such case is the package grapheme-splitter which contains code that looks like this:

    if (
      (0x0300 <= code && code <= 0x036F) ||
      (0x0483 <= code && code <= 0x0487) ||
      (0x0488 <= code && code <= 0x0489) ||
      (0x0591 <= code && code <= 0x05BD) ||
      // ... many hundreds of lines later ...
    ) {
      return;
    }

    This edge case involves a chain of binary operators that results in an AST over 400 nodes deep. Normally this wouldn't be a problem because Go has growable call stacks, so the call stack would just grow to be as large as needed. However, WebAssembly byte code deliberately doesn't expose the ability to manipulate the stack pointer, so Go's WebAssembly translation is forced to use the fixed-size WebAssembly call stack. So esbuild's WebAssembly implementation is vulnerable to stack overflow in cases like these.

    It's not unreasonable for this to cause a stack overflow, and for esbuild's answer to this problem to be "don't write code like this." That's how many other AST-manipulation tools handle this problem. However, it's possible to implement AST traversal using iteration instead of recursion to work around limited call stack space. This version of esbuild implements this code transformation for esbuild's JavaScript parser and printer, so esbuild's WebAssembly implementation is now able to process the grapheme-splitter package (at least when compiled with Go 1.20.0 and run with node's WebAssembly implementation).

• 0.17.7 - 2023-02-09
  

  • Change esbuild's parsing of TypeScript instantiation expressions to match TypeScript 4.8+ (#2907)

    This release updates esbuild's implementation of instantiation expression erasure to match microsoft/TypeScript#49353. The new rules are as follows (copied from TypeScript's PR description):

    When a potential type argument list is followed by

    • a line break,
    • an ( token,
    • a template literal string, or
    • any token except < or > that isn't the start of an expression,

    we consider that construct to be a type argument list. Otherwise we consider the construct to be a < relational expression followed by a > relational expression.

  • Ignore sideEffects: false for imported CSS files (#1370, #1458, #2905)

    This release ignores the sideEffects annotation in package.json for CSS files that are imported into JS files using esbuild's css loader. This means that these CSS files are no longer be tree-shaken.

    Importing CSS into JS causes esbuild to automatically create a CSS entry point next to the JS entry point containing the bundled CSS. Previously packages that specified some form of "sideEffects": false could potentially cause esbuild to consider one or more of the JS files on the import path to the CSS file to be side-effect free, which would result in esbuild removing that CSS file from the bundle. This was problematic because the removal of that CSS is outwardly observable, since all CSS is global, so it was incorrect for previous versions of esbuild to tree-shake CSS files imported into JS files.

  • Add constant folding for certain additional equality cases (#2394, #2895)

    This release adds constant folding for expressions similar to the following:

    // Original input
    console.log(
    null === 'foo',
    null === undefined,
    null == undefined,
    false === 0,
    false == 0,
    1 === true,
    1 == true,
    )

    // Old output
    console.log(
    null === "foo",
    null === void 0,
    null == void 0,
    false === 0,
    false == 0,
    1 === true,
    1 == true
    );

    // New output
    console.log(
    false,
    false,
    true,
    false,
    true,
    false,
    true
    );

• 0.17.6 - 2023-02-06
  Read more
• 0.17.5 - 2023-01-27
  Read more
• 0.17.4 - 2023-01-22
  Read more
• 0.17.3 - 2023-01-18
  Read more
• 0.17.2 - 2023-01-17
  Read more
• 0.17.1 - 2023-01-16
  Read more
• 0.17.0 - 2023-01-14
• 0.16.17 - 2023-01-11
• 0.16.16 - 2023-01-08
• 0.16.15 - 2023-01-07
• 0.16.14 - 2023-01-04
• 0.16.13 - 2023-01-02
• 0.16.12 - 2022-12-28
• 0.16.11 - 2022-12-27
• 0.16.10 - 2022-12-19
• 0.16.9 - 2022-12-18
• 0.16.8 - 2022-12-16
• 0.16.7 - 2022-12-14
• 0.16.6 - 2022-12-14
• 0.16.5 - 2022-12-13
• 0.16.4 - 2022-12-10
• 0.16.3 - 2022-12-08
• 0.16.2 - 2022-12-08
• 0.16.1 - 2022-12-07
• 0.16.0 - 2022-12-07
• 0.15.18 - 2022-12-05
• 0.15.17 - 2022-12-04
• 0.15.16 - 2022-11-27
• 0.15.15 - 2022-11-21
• 0.15.14 - 2022-11-15
• 0.15.13 - 2022-11-03
• 0.15.12 - 2022-10-19
• 0.15.11 - 2022-10-14
• 0.15.10 - 2022-09-29
• 0.15.9 - 2022-09-22
• 0.15.8 - 2022-09-18
• 0.15.7 - 2022-09-04
• 0.15.6 - 2022-08-30
• 0.15.5 - 2022-08-17
• 0.15.4 - 2022-08-16
• 0.15.3 - 2022-08-14
• 0.15.2 - 2022-08-12
• 0.15.1 - 2022-08-10
• 0.15.0 - 2022-08-10
• 0.14.54 - 2022-08-08

from esbuild GitHub release notes

Commit messages

Package name: esbuild

• 996d400 publish 0.17.10 to npm
• 16e0988 update css nesting stuff to match the latest spec
• 47e54fe fix Add link to plugin troubleshooting if server offline PostHog/posthog#2936: compare `url()` tokens by import record
• 3765e88 publish 0.17.9 to npm
• 42d3b2f fix Refactor & extend backend user identify PostHog/posthog#2937: parse rest bindings in TypeScript types
• d8b028f adjust test output for Temporarily remove post save and delete events on person and person_distinct_id PostHog/posthog#2914
• 631a563 fix Fix errors on demo PostHog/posthog#2909: preserve comments for omitted AST nodes
• 429d073 fix Temporarily remove post save and delete events on person and person_distinct_id PostHog/posthog#2914: do not emit computed `declare` fields
• 29d5a9b fix Posthog-js 1.8.3 PostHog/posthog#2913: crash in ProbeResolvePackageAsRelative
• 5e0b1cd publish 0.17.8 to npm
• 93a5497 also use iteration to print binary ops (Fix dashboard colors with non-white backgrounds PostHog/posthog#2911)
• 5d4f511 move binary expr visiting into `visitBinaryExpr`
• 33daf46 fix Fix dashboard colors with non-white backgrounds PostHog/posthog#2911: use iteration to visit binary op nodes
• 3b8fc34 move binary expr visiting into `visitBinaryExpr`
• 1db6e12 fix Refresh GitHub readme icons PostHog/posthog#2910: minify+non-ASCII names before a keyword
• e345b13 publish 0.17.7 to npm
• 46a6673 fix Test hotkey support to improve UX PostHog/posthog#2907 instead of Allow retention and paths to be added to dashboard PostHog/posthog#2201
• 64a6388 fix Allow retention and paths to be added to dashboard PostHog/posthog#2201: update instantiation expression parsing
• 88e17d8 fix Toolbar Actions Regex PostHog/posthog#1370, fix remove trailing spaces in the selector box PostHog/posthog#1458, fix Insights custom icons PostHog/posthog#2905: css tree-shaking
• bfe3ead fix Combine events and actions into select box PostHog/posthog#2394, fix Saved filters (or creating actions out of series) PostHog/posthog#2895: more constant folding cases
• 22354e4 remove redundant IsPrimitiveWithSideEffects code
• e124cc4 remove an irrelevant optimization (no test change)
• 2a3f6dd KnownPrimitiveType: pass the data pointer directly
• e1143a7 publish 0.17.6 to npm

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs