[Snyk] Upgrade esbuild from 0.18.13 to 0.18.14 #1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to upgrade esbuild from 0.18.13 to 0.18.14.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
Release notes
Package name: esbuild
Implement local CSS names (#20)
This release introduces two new loaders called
global-css
andlocal-css
and two new pseudo-class selectors:local()
and:global()
. This is a partial implementation of the popular CSS modules approach for avoiding unintentional name collisions in CSS. I'm not calling this feature "CSS modules" because although some people in the community call it that, other people in the community have started using "CSS modules" to refer to something completely different and now CSS modules is an overloaded term.Here's how this new local CSS name feature works with esbuild:
Identifiers that look like
.className
and#idName
are global with theglobal-css
loader and local with thelocal-css
loader. Global identifiers are the same across all files (the way CSS normally works) but local identifiers are different between different files. If two separate CSS files use the same local identifier.button
, esbuild will automatically rename one of them so that they don't collide. This is analogous to how esbuild automatically renames JS local variables with the same name in separate JS files to avoid name collisions.It only makes sense to use local CSS names with esbuild when you are also using esbuild's bundler to bundle JS files that import CSS files. When you do that, esbuild will generate one export for each local name in the CSS file. The JS code can import these names and use them when constructing HTML DOM. For example:
When you bundle this with
esbuild app.js --bundle --loader:.css=local-css --outdir=out
you'll now get this (notice how the local CSS nameouterShell
has been renamed):(() => {
// app.css
var outerShell = "app_outerShell";
// app.js
var div = document.createElement("div");
div.className = outerShell;
document.body.appendChild(div);
})();
This feature only makes sense to use when bundling is enabled both because your code needs to
import
the renamed local names so that it can use them, and because esbuild needs to be able to process all CSS files containing local names in a single bundling operation so that it can successfully rename conflicting local names to avoid collisions.If you are in a global CSS file (with the
global-css
loader) you can create a local name using:local()
, and if you are in a local CSS file (with thelocal-css
loader) you can create a global name with:global()
. So the choice of theglobal-css
loader vs. thelocal-css
loader just sets the default behavior for identifiers, but you can override it on a case-by-case basis as necessary. For example:Processing this CSS file with esbuild with either the
global-css
orlocal-css
loader will result in something like this:The names that esbuild generates for local CSS names are an implementation detail and are not intended to be hard-coded anywhere. The only way you should be referencing the local CSS names in your JS or HTML is with an
import
statement in JS that is bundled with esbuild, as demonstrated above. For example, when--minify
is enabled esbuild will use a different name generation algorithm which generates names that are as short as possible (analogous to how esbuild minifies local identifiers in JS).You can easily use both global CSS files and local CSS files simultaneously if you give them different file extensions. For example, you could pass
--loader:.css=global-css
and--loader:.module.css=local-css
to esbuild so that.css
files still use global names by default but.module.css
files use local names by default.Keep in mind that the
css
loader is different than theglobal-css
loader. The:local
and:global
annotations are not enabled with thecss
loader and will be passed through unchanged. This allows you to have the option of using esbuild to process CSS containing while preserving these annotations. It also means that local CSS names are disabled by default for now (since thecss
loader is currently the default for CSS files). The:local
and:global
syntax may be enabled by default in a future release.Note that esbuild's implementation does not currently have feature parity with other implementations of modular CSS in similar tools. This is only a preliminary release with a partial implementation that includes some basic behavior to get the process started. Additional behavior may be added in future releases. In particular, this release does not implement:
composes
pragma@ container
,@ counter-style
, etc.Issue #20 (the issue for this feature) is esbuild's most-upvoted issue! While this release still leaves that issue open, it's an important first step in that direction.
Parse
:is
,:has
,:not
, and:where
in CSSWith this release, esbuild will now parse the contents of these pseudo-class selectors as a selector list. This means you will now get syntax warnings within these selectors for invalid selector syntax. It also means that esbuild's CSS nesting transform behaves slightly differently than before because esbuild is now operating on an AST instead of a token stream. For example:
div {
:where(.foo&) {
color: red;
}
}
/* Old output (with --target=chrome90) */
:where(.foo:is(div)) {
color: red;
}
/* New output (with --target=chrome90) */
:where(div.foo) {
color: red;
}
Add the
--drop-labels=
option (#2398)If you want to conditionally disable some development-only code and have it not be present in the final production bundle, right now the most straightforward way of doing this is to use the
--define:
flag along with a specially-named global variable. For example, consider the following code:You can build this for development and production like this:
esbuild --define:DEV=true
esbuild --define:DEV=false
One drawback of this approach is that the resulting code crashes if you don't provide a value for
DEV
with--define:
. In practice this isn't that big of a problem, and there are also various ways to work around this.However, another approach that avoids this drawback is to use JavaScript label statements instead. That's what the
--drop-labels=
flag implements. For example, consider the following code:With this release, you can now build this for development and production like this:
esbuild
esbuild --drop-labels=DEV
This means that code containing optional development-only checks can now be written such that it's safe to run without any additional configuration. The
--drop-labels=
flag takes comma-separated list of multiple label names to drop.Avoid causing
unhandledRejection
during shutdown (#3219)All pending esbuild JavaScript API calls are supposed to fail if esbuild's underlying child process is unexpectedly terminated. This can happen if
SIGINT
is sent to the parentnode
process with Ctrl+C, for example. Previously doing this could also cause an unhandled promise rejection when esbuild attempted to communicate this failure to its own child process that no longer exists. This release now swallows this communication failure, which should prevent this internal unhandled promise rejection. This change means that you can now use esbuild's JavaScript API with a customSIGINT
handler that extends the lifetime of thenode
process without esbuild's internals causing an early exit due to an unhandled promise rejection.Update browser compatibility table scripts
The scripts that esbuild uses to compile its internal browser compatibility table have been overhauled. Briefly:
caniuse-lite
and@ mdn/browser-compat-data
as new data sources (replacing manually-copied information)This change means it's now much easier to keep esbuild's internal compatibility tables up to date. You can review the table changes here if you need to debug something about this change:
Commit messages
Package name: esbuild
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs