Esbuild-py

Latest version: v0.1.5

Safety actively analyzes 682404 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 9 of 11

0.17.8

* Fix a minification bug with non-ASCII identifiers ([2910](https://github.com/evanw/esbuild/issues/2910))

This release fixes a bug with esbuild where non-ASCII identifiers followed by a keyword were incorrectly not separated by a space. This bug affected both the `in` and `instanceof` keywords. Here's an example of the fix:

js
// Original code
π in a

// Old output (with --minify --charset=utf8)
πin a;

// New output (with --minify --charset=utf8)
π in a;


* Fix a regression with esbuild's WebAssembly API in version 0.17.6 ([2911](https://github.com/evanw/esbuild/issues/2911))

Version 0.17.6 of esbuild updated the Go toolchain to version 1.20.0. This had the unfortunate side effect of increasing the amount of stack space that esbuild uses (presumably due to some changes to Go's WebAssembly implementation) which could cause esbuild's WebAssembly-based API to crash with a stack overflow in cases where it previously didn't crash. One such case is the package `grapheme-splitter` which contains code that looks like this:

js
if (
(0x0300 <= code && code <= 0x036F) ||
(0x0483 <= code && code <= 0x0487) ||
(0x0488 <= code && code <= 0x0489) ||
(0x0591 <= code && code <= 0x05BD) ||
// ... many hundreds of lines later ...
) {
return;
}


This edge case involves a chain of binary operators that results in an AST over 400 nodes deep. Normally this wouldn't be a problem because Go has growable call stacks, so the call stack would just grow to be as large as needed. However, WebAssembly byte code deliberately doesn't expose the ability to manipulate the stack pointer, so Go's WebAssembly translation is forced to use the fixed-size WebAssembly call stack. So esbuild's WebAssembly implementation is vulnerable to stack overflow in cases like these.

It's not unreasonable for this to cause a stack overflow, and for esbuild's answer to this problem to be "don't write code like this." That's how many other AST-manipulation tools handle this problem. However, it's possible to implement AST traversal using iteration instead of recursion to work around limited call stack space. This version of esbuild implements this code transformation for esbuild's JavaScript parser and printer, so esbuild's WebAssembly implementation is now able to process the `grapheme-splitter` package (at least when compiled with Go 1.20.0 and run with node's WebAssembly implementation).

0.17.7

* Change esbuild's parsing of TypeScript instantiation expressions to match TypeScript 4.8+ ([2907](https://github.com/evanw/esbuild/issues/2907))

This release updates esbuild's implementation of instantiation expression erasure to match [microsoft/TypeScript49353](https://github.com/microsoft/TypeScript/pull/49353). The new rules are as follows (copied from TypeScript's PR description):

> When a potential type argument list is followed by
>
> * a line break,
> * an `(` token,
> * a template literal string, or
> * any token except `<` or `>` that isn't the start of an expression,
>
> we consider that construct to be a type argument list. Otherwise we consider the construct to be a `<` relational expression followed by a `>` relational expression.

* Ignore `sideEffects: false` for imported CSS files ([1370](https://github.com/evanw/esbuild/issues/1370), [#1458](https://github.com/evanw/esbuild/pull/1458), [#2905](https://github.com/evanw/esbuild/issues/2905))

This release ignores the `sideEffects` annotation in `package.json` for CSS files that are imported into JS files using esbuild's `css` loader. This means that these CSS files are no longer be tree-shaken.

Importing CSS into JS causes esbuild to automatically create a CSS entry point next to the JS entry point containing the bundled CSS. Previously packages that specified some form of `"sideEffects": false` could potentially cause esbuild to consider one or more of the JS files on the import path to the CSS file to be side-effect free, which would result in esbuild removing that CSS file from the bundle. This was problematic because the removal of that CSS is outwardly observable, since all CSS is global, so it was incorrect for previous versions of esbuild to tree-shake CSS files imported into JS files.

* Add constant folding for certain additional equality cases ([2394](https://github.com/evanw/esbuild/issues/2394), [#2895](https://github.com/evanw/esbuild/issues/2895))

This release adds constant folding for expressions similar to the following:

js
// Original input
console.log(
null === 'foo',
null === undefined,
null == undefined,
false === 0,
false == 0,
1 === true,
1 == true,
)

// Old output
console.log(
null === "foo",
null === void 0,
null == void 0,
false === 0,
false == 0,
1 === true,
1 == true
);

// New output
console.log(
false,
false,
true,
false,
true,
false,
true
);

0.17.6

* Fix a CSS parser crash on invalid CSS ([2892](https://github.com/evanw/esbuild/issues/2892))

Previously the following invalid CSS caused esbuild's parser to crash:

css
media screen


The crash was caused by trying to construct a helpful error message assuming that there was an opening `{` token, which is not the case here. This release fixes the crash.

* Inline TypeScript enums that are referenced before their declaration

Previously esbuild inlined enums within a TypeScript file from top to bottom, which meant that references to TypeScript enum members were only inlined within the same file if they came after the enum declaration. With this release, esbuild will now inline enums even when they are referenced before they are declared:

ts
// Original input
export const foo = () => Foo.FOO
const enum Foo { FOO = 0 }

// Old output (with --tree-shaking=true)
export const foo = () => Foo.FOO;
var Foo = /* __PURE__ */ ((Foo2) => {
Foo2[Foo2["FOO"] = 0] = "FOO";
return Foo2;
})(Foo || {});

// New output (with --tree-shaking=true)
export const foo = () => 0 /* FOO */;


This makes esbuild's TypeScript output smaller and faster when processing code that does this. I noticed this issue when I ran the TypeScript compiler's source code through esbuild's bundler. Now that the TypeScript compiler is going to be bundled with esbuild in the upcoming TypeScript 5.0 release, improvements like this will also improve the TypeScript compiler itself!

* Fix esbuild installation on Arch Linux ([2785](https://github.com/evanw/esbuild/issues/2785), [#2812](https://github.com/evanw/esbuild/issues/2812), [#2865](https://github.com/evanw/esbuild/issues/2865))

Someone made an unofficial `esbuild` package for Linux that adds the `ESBUILD_BINARY_PATH=/usr/bin/esbuild` environment variable to the user's default environment. This breaks all npm installations of esbuild for users with this unofficial Linux package installed, which has affected many people. Most (all?) people who encounter this problem haven't even installed this unofficial package themselves; instead it was installed for them as a dependency of another Linux package. The problematic change to add the `ESBUILD_BINARY_PATH` environment variable was reverted in the latest version of this unofficial package. However, old versions of this unofficial package are still there and will be around forever. With this release, `ESBUILD_BINARY_PATH` is now ignored by esbuild's install script when it's set to the value `/usr/bin/esbuild`. This should unbreak using npm to install `esbuild` in these problematic Linux environments.

Note: The `ESBUILD_BINARY_PATH` variable is an undocumented way to override the location of esbuild's binary when esbuild's npm package is installed, which is necessary to substitute your own locally-built esbuild binary when debugging esbuild's npm package. It's only meant for very custom situations and should absolutely not be forced on others by default, especially without their knowledge. I may remove the code in esbuild's installer that reads `ESBUILD_BINARY_PATH` in the future to prevent these kinds of issues. It will unfortunately make debugging esbuild harder. If `ESBUILD_BINARY_PATH` is ever removed, it will be done in a "breaking change" release.

0.17.5

* Parse `const` type parameters from TypeScript 5.0

The TypeScript 5.0 beta announcement adds [`const` type parameters](https://devblogs.microsoft.com/typescript/announcing-typescript-5-0-beta/#const-type-parameters) to the language. You can now add the `const` modifier on a type parameter of a function, method, or class like this:

ts
type HasNames = { names: readonly string[] };
const getNamesExactly = <const T extends HasNames>(arg: T): T["names"] => arg.names;
const names = getNamesExactly({ names: ["Alice", "Bob", "Eve"] });


The type of `names` in the above example is `readonly ["Alice", "Bob", "Eve"]`. Marking the type parameter as `const` behaves as if you had written `as const` at every use instead. The above code is equivalent to the following TypeScript, which was the only option before TypeScript 5.0:

ts
type HasNames = { names: readonly string[] };
const getNamesExactly = <T extends HasNames>(arg: T): T["names"] => arg.names;
const names = getNamesExactly({ names: ["Alice", "Bob", "Eve"] } as const);


You can read [the announcement](https://devblogs.microsoft.com/typescript/announcing-typescript-5-0-beta/#const-type-parameters) for more information.

* Make parsing generic `async` arrow functions more strict in `.tsx` files

Previously esbuild's TypeScript parser incorrectly accepted the following code as valid:

tsx
let fn = async <T> () => {};


The official TypeScript parser rejects this code because it thinks it's the identifier `async` followed by a JSX element starting with `<T>`. So with this release, esbuild will now reject this syntax in `.tsx` files too. You'll now have to add a comma after the type parameter to get generic arrow functions like this to parse in `.tsx` files:

tsx
let fn = async <T,> () => {};


* Allow the `in` and `out` type parameter modifiers on class expressions

TypeScript 4.7 added the `in` and `out` modifiers on the type parameters of classes, interfaces, and type aliases. However, while TypeScript supported them on both class expressions and class statements, previously esbuild only supported them on class statements due to an oversight. This release now allows these modifiers on class expressions too:

ts
declare let Foo: any;
Foo = class <in T> { };
Foo = class <out T> { };


* Update `enum` constant folding for TypeScript 5.0

TypeScript 5.0 contains an [updated definition of what it considers a constant expression](https://github.com/microsoft/TypeScript/pull/50528):

> An expression is considered a *constant expression* if it is
>
> * a number or string literal,
> * a unary `+`, `-`, or `~` applied to a numeric constant expression,
> * a binary `+`, `-`, `*`, `/`, `%`, `**`, `<<`, `>>`, `>>>`, `|`, `&`, `^` applied to two numeric constant expressions,
> * a binary `+` applied to two constant expressions whereof at least one is a string,
> * a template expression where each substitution expression is a constant expression,
> * a parenthesized constant expression,
> * a dotted name (e.g. `x.y.z`) that references a `const` variable with a constant expression initializer and no type annotation,
> * a dotted name that references an enum member with an enum literal type, or
> * a dotted name indexed by a string literal (e.g. `x.y["z"]`) that references an enum member with an enum literal type.

This impacts esbuild's implementation of TypeScript's `const enum` feature. With this release, esbuild will now attempt to follow these new rules. For example, you can now initialize an `enum` member with a template literal expression that contains a numeric constant:

ts
// Original input
const enum Example {
COUNT = 100,
ERROR = `Expected ${COUNT} items`,
}
console.log(
Example.COUNT,
Example.ERROR,
)

// Old output (with --tree-shaking=true)
var Example = /* __PURE__ */ ((Example2) => {
Example2[Example2["COUNT"] = 100] = "COUNT";
Example2[Example2["ERROR"] = `Expected ${100 /* COUNT */} items`] = "ERROR";
return Example2;
})(Example || {});
console.log(
100 /* COUNT */,
Example.ERROR
);

// New output (with --tree-shaking=true)
console.log(
100 /* COUNT */,
"Expected 100 items" /* ERROR */
);


These rules are not followed exactly due to esbuild's limitations. The rule about dotted references to `const` variables is not followed both because esbuild's enum processing is done in an isolated module setting and because doing so would potentially require esbuild to use a type system, which it doesn't have. For example:

ts
// The TypeScript compiler inlines this but esbuild doesn't:
declare const x = 'foo'
const enum Foo { X = x }
console.log(Foo.X)


Also, the rule that requires converting numbers to a string currently only followed for 32-bit signed integers and non-finite numbers. This is done to avoid accidentally introducing a bug if esbuild's number-to-string operation doesn't exactly match the behavior of a real JavaScript VM. Currently esbuild's number-to-string constant folding is conservative for safety.

* Forbid definite assignment assertion operators on class methods

In TypeScript, class methods can use the `?` optional property operator but not the `!` definite assignment assertion operator (while class fields can use both):

ts
class Foo {
// These are valid TypeScript
a?
b!
x?() {}

// This is invalid TypeScript
y!() {}
}


Previously esbuild incorrectly allowed the definite assignment assertion operator with class methods. This will no longer be allowed starting with this release.

0.17.4

* Implement HTTP `HEAD` requests in serve mode ([2851](https://github.com/evanw/esbuild/issues/2851))

Previously esbuild's serve mode only responded to HTTP `GET` requests. With this release, esbuild's serve mode will also respond to HTTP `HEAD` requests, which are just like HTTP `GET` requests except that the body of the response is omitted.

* Permit top-level await in dead code branches ([2853](https://github.com/evanw/esbuild/issues/2853))

Adding top-level await to a file has a few consequences with esbuild:

1. It causes esbuild to assume that the input module format is ESM, since top-level await is only syntactically valid in ESM. That prevents you from using `module` and `exports` for exports and also enables strict mode, which disables certain syntax and changes how function hoisting works (among other things).
2. This will cause esbuild to fail the build if either top-level await isn't supported by your language target (e.g. it's not supported in ES2021) or if top-level await isn't supported by the chosen output format (e.g. it's not supported with CommonJS).
3. Doing this will prevent you from using `require()` on this file or on any file that imports this file (even indirectly), since the `require()` function doesn't return a promise and so can't represent top-level await.

This release relaxes these rules slightly: rules 2 and 3 will now no longer apply when esbuild has identified the code branch as dead code, such as when it's behind an `if (false)` check. This should make it possible to use esbuild to convert code into different output formats that only uses top-level await conditionally. This release does not relax rule 1. Top-level await will still cause esbuild to unconditionally consider the input module format to be ESM, even when the top-level `await` is in a dead code branch. This is necessary because whether the input format is ESM or not affects the whole file, not just the dead code branch.

* Fix entry points where the entire file name is the extension ([2861](https://github.com/evanw/esbuild/issues/2861))

Previously if you passed esbuild an entry point where the file extension is the entire file name, esbuild would use the parent directory name to derive the name of the output file. For example, if you passed esbuild a file `./src/.ts` then the output name would be `src.js`. This bug happened because esbuild first strips the file extension to get `./src/` and then joins the path with the working directory to get the absolute path (e.g. `join("/working/dir", "./src/")` gives `/working/dir/src`). However, the join operation also canonicalizes the path which strips the trailing `/`. Later esbuild uses the "base name" operation to extract the name of the output file. Since there is no trailing `/`, esbuild returns `"src"` as the base name instead of `""`, which causes esbuild to incorrectly include the directory name in the output file name. This release fixes this bug by deferring the stripping of the file extension until after all path manipulations have been completed. So now the file `./src/.ts` will generate an output file named `.js`.

* Support replacing property access expressions with inject

At a high level, this change means the `inject` feature can now replace all of the same kinds of names as the `define` feature. So `inject` is basically now a more powerful version of `define`, instead of previously only being able to do some of the things that `define` could do.

Soem background is necessary to understand this change if you aren't already familiar with the `inject` feature. The `inject` feature lets you replace references to global variable with a shim. It works like this:

1. Put the shim in its own file
2. Export the shim as the name of the global variable you intend to replace
3. Pass the file to esbuild using the `inject` feature

For example, if you inject the following file using `--inject:./injected.js`:

js
// injected.js
let processShim = { cwd: () => '/' }
export { processShim as process }


Then esbuild will replace all references to `process` with the `processShim` variable, which will cause `process.cwd()` to return `'/'`. This feature is sort of abusing the ESM export alias syntax to specify the mapping of global variables to shims. But esbuild works this way because using this syntax for that purpose is convenient and terse.

However, if you wanted to replace a property access expression, the process was more complicated and not as nice. You would have to:

1. Put the shim in its own file
2. Export the shim as some random name
3. Pass the file to esbuild using the `inject` feature
4. Use esbuild's `define` feature to map the property access expression to the random name you made in step 2

For example, if you inject the following file using `--inject:./injected2.js --define:process.cwd=someRandomName`:

js
// injected2.js
let cwdShim = () => '/'
export { cwdShim as someRandomName }


Then esbuild will replace all references to `process.cwd` with the `cwdShim` variable, which will also cause `process.cwd()` to return `'/'` (but which this time will not mess with other references to `process`, which might be desirable).

With this release, using the inject feature to replace a property access expression is now as simple as using it to replace an identifier. You can now use JavaScript's ["arbitrary module namespace identifier names"](https://github.com/tc39/ecma262/pull/2154) feature to specify the property access expression directly using a string literal. For example, if you inject the following file using `--inject:./injected3.js`:

js
// injected3.js
let cwdShim = () => '/'
export { cwdShim as 'process.cwd' }


Then esbuild will now replace all references to `process.cwd` with the `cwdShim` variable, which will also cause `process.cwd()` to return `'/'` (but which will also not mess with other references to `process`).

In addition to inserting a shim for a global variable that doesn't exist, another use case is replacing references to static methods on global objects with cached versions to both minify them better and to make access to them potentially faster. For example:

js
// Injected file
let cachedMin = Math.min
let cachedMax = Math.max
export {
cachedMin as 'Math.min',
cachedMax as 'Math.max',
}

// Original input
function clampRGB(r, g, b) {
return {
r: Math.max(0, Math.min(1, r)),
g: Math.max(0, Math.min(1, g)),
b: Math.max(0, Math.min(1, b)),
}
}

// Old output (with --minify)
function clampRGB(a,t,m){return{r:Math.max(0,Math.min(1,a)),g:Math.max(0,Math.min(1,t)),b:Math.max(0,Math.min(1,m))}}

// New output (with --minify)
var a=Math.min,t=Math.max;function clampRGB(h,M,m){return{r:t(0,a(1,h)),g:t(0,a(1,M)),b:t(0,a(1,m))}}

0.17.3

* Fix incorrect CSS minification for certain rules ([2838](https://github.com/evanw/esbuild/issues/2838))

Certain rules such as `media` could previously be minified incorrectly. Due to a typo in the duplicate rule checker, two known ``-rules that share the same hash code were incorrectly considered to be equal. This problem was made worse by the rule hashing code considering two unknown declarations (such as CSS variables) to have the same hash code, which also isn't optimal from a performance perspective. Both of these issues have been fixed:

css
/* Original input */
media (prefers-color-scheme: dark) { body { --VAR-1: 000; } }
media (prefers-color-scheme: dark) { body { --VAR-2: 000; } }

/* Old output (with --minify) */
media (prefers-color-scheme: dark){body{--VAR-2: 000}}

/* New output (with --minify) */
media (prefers-color-scheme: dark){body{--VAR-1: 000}}media (prefers-color-scheme: dark){body{--VAR-2: 000}}

Page 9 of 11

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.