Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)
This change addresses esbuild's first security vulnerability report. Previously esbuild set theAccess-Control-Allow-Origin header to* to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information inthe report.
Starting with this release,CORS will now be disabled, and requests will now be denied if the host does not match the one provided to--serve=. The default host is0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both127.0.0.1 and192.168.0.1). If you want to customize anything about esbuild's development server, you canput a proxy in front of esbuild and modify the incoming and/or outgoing requests.
In addition, theserve() API call has been changed to return an array ofhosts instead of a singlehost string. This makes it possible to determine all of the hosts that esbuild's development server will accept.
Thanks to@sapphi-red for reporting this issue.
Delete output files when a build fails in watch mode (#3643)
It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.
Fix correctness issues with the CSS nesting transform (#3620,#3877,#3933,#3997,#4005,#4037,#4038)
This release fixes the following problems:
Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using:is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.
/* Original code */.parent {> .a,> .b1> .b2 {color: red; }}/* Old output (with --supported:nesting=false) */.parent>:is(.a, .b1> .b2) {color: red;}/* New output (with --supported:nesting=false) */.parent> .a,.parent> .b1> .b2 {color: red;}Thanks to@tim-we for working on a fix.
The& CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered&& to have the same specificity as&. With this release, this should now work correctly:
/* Original code (color should be red) */div {&& {color: red }& {color: blue }}/* Old output (with --supported:nesting=false) */div {color: red;}div {color: blue;}/* New output (with --supported:nesting=false) */div:is(div) {color: red;}div {color: blue;}Thanks to@CPunisher for working on a fix.
Previously transforming nested CSS incorrectly removed leading combinators from within pseudoclass selectors such as:where(). This edge case has been fixed and how has test coverage.
/* Original code */ab:has(>span) { a& {color: green; }}/* Old output (with --supported:nesting=false) */a:is(ab:has(span)) {color: green;}/* New output (with --supported:nesting=false) */a:is(ab:has(>span)) {color: green;}This fix was contributed by@NoremacNergfol.
The CSS minifier contains logic to remove the& selector when it can be implied, which happens when there is only one and it's the leading token. However, this logic was incorrectly also applied to selector lists inside of pseudo-class selectors such as:where(). With this release, the minifier will now avoid applying this logic in this edge case:
/* Original code */.a {& .b {color: red }:where(& .b) {color: blue }}/* Old output (with --minify) */.a{.b{color:red}:where(.b){color:#​00f}}/* New output (with --minify) */.a{.b{color:red}:where(& .b){color:#​00f}}
Fix some correctness issues with source maps (#1745,#3183,#3613,#3982)
Previously esbuild incorrectly treated source map path references as file paths instead of as URLs. With this release, esbuild will now treat source map path references as URLs. This fixes the following problems with source maps:
File names insourceMappingURL that contained a space previously did not encode the space as%20, which resulted in JavaScript tools (including esbuild) failing to read that path back in when consuming the generated output file. This should now be fixed.
Absolute URLs insourceMappingURL that use thefile:// scheme previously attempted to read from a folder calledfile:. These URLs should now be recognized and parsed correctly.
Entries in thesources array in the source map are now treated as URLs instead of file paths. The correct behavior for this is much more clear now that source maps has aformal specification. Many thanks to those who worked on the specification.
Fix incorrect package for@esbuild/netbsd-arm64 (#4018)
Due to a copy+paste typo, the binary published to@esbuild/netbsd-arm64 was not actually forarm64, and didn't run in that environment. This release should fix running esbuild in that environment (NetBSD on 64-bit ARM). Sorry about the mistake.
Fix a minification bug with bitwise operators and bigints (#4065)
This change removes an incorrect assumption in esbuild that all bitwise operators result in a numeric integer. That assumption was correct up until the introduction of bigints in ES2020, but is no longer correct because almost all bitwise operators now operate on both numbers and bigints. Here's an example of the incorrect minification:
// Original codeif((a&b)!==0)found=true// Old output (with --minify)a&b&&(found=!0);// New output (with --minify)(a&b)!==0&&(found=!0);
Fix esbuild incorrectly rejecting valid TypeScript edge case (#4027)
The following TypeScript code is valid:
exportfunctionopen(async?:boolean):void{console.log(asyncasboolean)}Before this version, esbuild would fail to parse this with a syntax error as it expected the token sequenceasync as ... to be the start of an async arrow function expressionasync as => .... This edge case should be parsed correctly by esbuild starting with this release.
Transform BigInt values into constructor calls when unsupported (#4049)
Previously esbuild would refuse to compile the BigInt literals (such as123n) if they are unsupported in the configured target environment (such as with--target=es6). The rationale was that they cannot be polyfilled effectively because they change the behavior of JavaScript's arithmetic operators and JavaScript doesn't have operator overloading.
However, this prevents using esbuild with certain libraries that would otherwise work if BigInt literals were ignored, such as with old versions of thebuffer library before the library fixed support for running in environments without BigInt support. So with this release, esbuild will now turn BigInt literals into BigInt constructor calls (so123n becomesBigInt(123)) and generate a warning in this case. You can turn off the warning with--log-override:bigint=silent or restore the warning to an error with--log-override:bigint=error if needed.
Change howconsole API dropping works (#4020)
Previously the--drop:console feature replaced all method calls off of theconsole global withundefined regardless of how long the property access chain was (so it applied toconsole.log() andconsole.log.call(console) andconsole.log.not.a.method()). However, it was pointed out that this breaks uses ofconsole.log.bind(console). That's also incompatible with Terser's implementation of the feature, which is where this feature originally came from (it does supportbind). So with this release, using this feature with esbuild will now only replace one level of method call (unless extended bycall orapply) and will replace the method being called with an empty function in complex cases:
// Original codeconstx=console.log('x')consty=console.log.call(console,'y')constz=console.log.bind(console)('z')// Old output (with --drop-console)constx=void0;consty=void0;constz=(void0)("z");// New output (with --drop-console)constx=void0;consty=void0;constz=(()=>{}).bind(console)("z");This should more closely match Terser's existing behavior.
Allow BigInt literals asdefine values
With this release, you can now use BigInt literals as define values, such as with--define:FOO=123n. Previously trying to do this resulted in a syntax error.
Fix a bug with resolve extensions innode_modules (#4053)
The--resolve-extensions= option lets you specify the order in which to try resolving implicit file extensions. For complicated reasons, esbuild reorders TypeScript file extensions after JavaScript ones inside ofnode_modules so that JavaScript source code is always preferred to TypeScript source code inside of dependencies. However, this reordering had a bug that could accidentally change the relative order of TypeScript file extensions if one of them was a prefix of the other. That bug has been fixed in this release. You can see the issue for details.
Better minification of statically-determinedswitch cases (#4028)
With this release, esbuild will now try to trim unused code withinswitch statements when the test expression andcase expressions are primitive literals. This can arise when the test expression is an identifier that is substituted for a primitive literal at compile time. For example:
// Original codeswitch(MODE){case'dev':installDevToolsConsole()breakcase'prod':returndefault:thrownewError}// Old output (with --minify '--define:MODE="prod"')switch("prod"){case"dev":installDevToolsConsole();break;case"prod":return;default:thrownewError}// New output (with --minify '--define:MODE="prod"')return;Emit/* @​__KEY__ */ for string literals derived from property names (#4034)
Property name mangling is an advanced feature that shortens certain property names for better minification (I say "advanced feature" because it's very easy to break your code with it). Sometimes you need to store a property name in a string, such asobj.get('foo') instead ofobj.foo. JavaScript minifiers such as esbuild andTerser have a convention where a/* @​__KEY__ */ comment before the string makes it behave like a property name. Soobj.get(/* @​__KEY__ */ 'foo') allows the contents of the string'foo' to be shortened.
However, esbuild sometimes itself generates string literals containing property names when transforming code, such as when lowering class fields to ES6 or when transforming TypeScript decorators. Previously esbuild didn't generate its own/* @​__KEY__ */ comments in this case, which means that minifying your code by running esbuild again on its own output wouldn't work correctly (this does not affect people that both minify and transform their code in a single step).
With this release, esbuild will now generate/* @​__KEY__ */ comments for property names in generated string literals. To avoid lots of unnecessary output for people that don't use this advanced feature, the generated comments will only be present when the feature is active. If you want to generate the comments but not actually mangle any property names, you can use a flag that has no effect such as--reserve-props=., which tells esbuild to not mangle any property names (but still activates this feature).
Thetext loader now strips the UTF-8 BOM if present (#3935)
Some software (such as Notepad on Windows) can create text files that start with the three bytes0xEF 0xBB 0xBF, which is referred to as the "byte order mark". This prefix is intended to be removed before using the text. Previously esbuild'stext loader included this byte sequence in the string, which turns into a prefix of\uFEFF in a JavaScript string when decoded from UTF-8. With this release, esbuild'stext loader will now remove these bytes when they occur at the start of the file.
Omit legal comment output files when empty (#3670)
Previously configuring esbuild with--legal-comment=external or--legal-comment=linked would always generate a.LEGAL.txt output file even if it was empty. Starting with this release, esbuild will now only do this if the file will be non-empty. This should result in a more organized output directory in some cases.
Update Go from 1.23.1 to 1.23.5 (#4056,#4057)
This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain reports from vulnerability scanners that detect which version of the Go compiler esbuild uses.
This PR was contributed by@MikeWillCook.
Allow passing a port of 0 to the development server (#3692)
Unix sockets interpret a port of 0 to mean "pick a random unused port in theephemeral port range". However, esbuild's default behavior when the port is not specified is to pick the first unused port starting from 8000 and upward. This is more convenient because port 8000 is typically free, so you can for example restart the development server and reload your app in the browser without needing to change the port in the URL. Since esbuild is written in Go (which does not have optional fields like JavaScript), not specifying the port in Go means it defaults to 0, so previously passing a port of 0 to esbuild caused port 8000 to be picked.
Starting with this release, passing a port of 0 to esbuild when using the CLI or the JS API will now pass port 0 to the OS, which will pick a random ephemeral port. To make this possible, thePort option in the Go API has been changed fromuint16 toint (to allow for additional sentinel values) and passing a port of -1 in Go now picks a random port. Both the CLI and JS APIs now remap an explicitly-provided port of 0 into -1 for the internal Go API.
Another option would have been to changePort in Go fromuint16 to*uint16 (Go's closest equivalent ofnumber | undefined). However, that would make the common case of providing an explicit port in Go very awkward as Go doesn't support taking the address of integer constants. This tradeoff isn't worth it as picking a random ephemeral port is a rare use case. So the CLI and JS APIs should now match standard Unix behavior when the port is 0, but you need to use -1 instead with Go API.
Minification now avoids inlining constants with directeval (#4055)
Directeval can be used to introduce a new variable like this:
constvariable=false;(function(){eval("var variable = true")console.log(variable)})()Previously esbuild inlinedvariable here (which becamefalse), which changed the behavior of the code. This inlining is now avoided, but please keep in mind that directeval breaks many assumptions that JavaScript tools hold about normal code (especially when bundling) and I do not recommend using it. There are usually better alternatives that have a more localized impact on your code. You can read more about this here:https://esbuild.github.io/link/direct-eval/
Allowes2024 as a target intsconfig.json (#4004)
TypeScript recentlyaddedes2024 as a compilation target, so esbuild now supports this in thetarget field oftsconfig.json files, such as in the following configuration file:
{"compilerOptions": {"target":"ES2024" }}As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more inthe documentation.
This fix was contributed by@billyjanitsch.
Allow automatic semicolon insertion afterget/set
This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:
classFoo{get*x(){}set*y(){}}The above code will be considered valid starting with this release. This change to esbuild follows asimilar change to TypeScript which will allow this syntax starting with TypeScript 5.7.
Allow quoted property names in--define and--pure (#4008)
Thedefine andpure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes--define and--pure consistent with--global-name, which already supported quoted property names. For example, the following is now possible:
// The following code now transforms to "return true;\n"console.log(esbuild.transformSync(`return process.env['SOME-TEST-VAR']`,{define:{'process.env["SOME-TEST-VAR"]':'true'}},))Note that if you're passing values like this on the command line using esbuild's--define flag, then you'll need to know how to escape quote characters for your shell. You may find esbuild's JavaScript API more ergonomic and portable than writing shell code.
Minify emptytry/catch/finally blocks (#4003)
With this release, esbuild will now attempt to minify emptytry blocks:
// Original codetry{}catch{foo()}finally{bar()}// Old output (with --minify)try{}catch{foo()}finally{bar()}// New output (with --minify)bar();This can sometimes expose additional minification opportunities.
IncludeentryPoint metadata for thecopy loader (#3985)
Almost all entry points already include aentryPoint field in theoutputs map in esbuild's build metadata. However, this wasn't the case for thecopy loader as that loader is a special-case that doesn't behave like other loaders. This release adds theentryPoint field in this case.
Source mappings may now containnull entries (#3310,#3878)
With this change, sources that result in an empty source map may now emit anull source mapping (i.e. one with a generated position but without a source index or original position). This change improves source map accuracy by fixing a problem where minified code from a source without any source mappings could potentially still be associated with a mapping from another source file earlier in the generated output on the same minified line. It manifests as nonsensical files in source mapped stack traces. Now thenull mapping "resets" the source map so that any lookups into the minified code without any mappings resolves tonull (which appears as the output file in stack traces) instead of the incorrect source file.
This change shouldn't affect anything in most situations. I'm only mentioning it in the release notes in case it introduces a bug with source mapping. It's part of a work-in-progress future feature that will let you omit certain unimportant files from the generated source map to reduce source map size.
Avoid using the parent directory name for determinism (#3998)
To make generated code more readable, esbuild includes the name of the source file when generating certain variable names within the file. Specifically bundling a CommonJS file generates a variable to store the lazily-evaluated module initializer. However, if a file is namedindex.js (or with a different extension), esbuild will use the name of the parent directory instead for a better name (since many packages have files all namedindex.js but have unique directory names).
This is problematic when the bundle entry point is namedindex.js and the parent directory name is non-deterministic (e.g. a temporary directory created by a build script). To avoid non-determinism in esbuild's output, esbuild will now useindex instead of the parent directory in this case. Specifically this will happen if the parent directory is equal to esbuild'soutbase API option, which defaults to thelowest common ancestor of all user-specified entry point paths.
Experimental support for esbuild on NetBSD (#3974)
With this release, esbuild now has a published binary executable forNetBSD in the@esbuild/netbsd-arm64 npm package, and esbuild's installer has been modified to attempt to use it when on NetBSD. Hopefully this makes installing esbuild via npm work on NetBSD. This change was contributed by@bsiegert.
⚠️ Note: NetBSD is not one ofNode's supported platforms, so installing esbuild may or may not work on NetBSD depending on how Node has been patched. This is not a problem with esbuild.⚠️
Drop support for older platforms (#3902)
This release drops support for the following operating system:
This is because the Go programming language dropped support for this operating system version in Go 1.23, and this release updates esbuild from Go 1.22 to Go 1.23. Go 1.23 now requires macOS 11 Big Sur or later.
Note that this only affects the binary esbuild executables that are published to the esbuild npm package. It's still possible to compile esbuild's source code for these older operating systems. If you need to, you can compile esbuild for yourself using an older version of the Go compiler (before Go version 1.23). That might look something like this:
git clone https://github.com/evanw/esbuild.gitcd esbuildgo build ./cmd/esbuild./esbuild --version
Fix class field decorators in TypeScript ifuseDefineForClassFields isfalse (#3913)
Setting theuseDefineForClassFields flag tofalse intsconfig.json means class fields use the legacy TypeScript behavior instead of the standard JavaScript behavior. Specifically they use assign semantics instead of define semantics (e.g. setters are triggered) and fields without an initializer are not initialized at all. However, when this legacy behavior is combined with standard JavaScript decorators, TypeScript switches to always initializing all fields, even those without initializers. Previously esbuild incorrectly continued to omit field initializers for this edge case. These field initializers in this case should now be emitted starting with this release.
Avoid incorrect cycle warning withtsconfig.json multiple inheritance (#3898)
TypeScript 5.0 introduced multiple inheritance fortsconfig.json files whereextends can be an array of file paths. Previously esbuild would incorrectly treat files encountered more than once when processing separate subtrees of the multiple inheritance hierarchy as an inheritance cycle. With this release,tsconfig.json files containing this edge case should work correctly without generating a warning.
Handle Yarn Plug'n'Play stack overflow withtsconfig.json (#3915)
Previously atsconfig.json file thatextends another file in a package with anexports map could cause a stack overflow when Yarn's Plug'n'Play resolution was active. This edge case should work now starting with this release.
Work around more issues with Deno 1.31+ (#3917)
This version of Deno broke thestdin andstdout properties on command objects for inherited streams, which matters when you run esbuild's Deno module as the entry point (i.e. whenimport.meta.main istrue). Previously esbuild would crash in Deno 1.31+ if you ran esbuild like that. This should be fixed starting with this release.
This fix was contributed by@Joshix-1.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
^0.23.1->^0.25.0GitHub Vulnerability Alerts
GHSA-67mh-4wv8-2f99
Summary
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
Details
esbuild sets
Access-Control-Allow-Origin: *header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js')request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have aassetsdirectory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuildSSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
PoC
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))in a different website's dev tools.Impact
Users using the serve feature may get the source code stolen by malicious websites.
Release Notes
evanw/esbuild (esbuild)
v0.25.0Compare Source
This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of
esbuildin yourpackage.jsonfile (recommended) or be using a version range syntax that only accepts patch upgrades such as^0.24.0or~0.24.0. See npm's documentation aboutsemver for more information.Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)
This change addresses esbuild's first security vulnerability report. Previously esbuild set the
Access-Control-Allow-Originheader to*to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information inthe report.Starting with this release,CORS will now be disabled, and requests will now be denied if the host does not match the one provided to
--serve=. The default host is0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both127.0.0.1and192.168.0.1). If you want to customize anything about esbuild's development server, you canput a proxy in front of esbuild and modify the incoming and/or outgoing requests.In addition, the
serve()API call has been changed to return an array ofhostsinstead of a singlehoststring. This makes it possible to determine all of the hosts that esbuild's development server will accept.Thanks to@sapphi-red for reporting this issue.
Delete output files when a build fails in watch mode (#3643)
It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.
Fix correctness issues with the CSS nesting transform (#3620,#3877,#3933,#3997,#4005,#4037,#4038)
This release fixes the following problems:
Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using
:is()to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.Thanks to@tim-we for working on a fix.
The
&CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered&&to have the same specificity as&. With this release, this should now work correctly:Thanks to@CPunisher for working on a fix.
Previously transforming nested CSS incorrectly removed leading combinators from within pseudoclass selectors such as
:where(). This edge case has been fixed and how has test coverage.This fix was contributed by@NoremacNergfol.
The CSS minifier contains logic to remove the
&selector when it can be implied, which happens when there is only one and it's the leading token. However, this logic was incorrectly also applied to selector lists inside of pseudo-class selectors such as:where(). With this release, the minifier will now avoid applying this logic in this edge case:Fix some correctness issues with source maps (#1745,#3183,#3613,#3982)
Previously esbuild incorrectly treated source map path references as file paths instead of as URLs. With this release, esbuild will now treat source map path references as URLs. This fixes the following problems with source maps:
File names in
sourceMappingURLthat contained a space previously did not encode the space as%20, which resulted in JavaScript tools (including esbuild) failing to read that path back in when consuming the generated output file. This should now be fixed.Absolute URLs in
sourceMappingURLthat use thefile://scheme previously attempted to read from a folder calledfile:. These URLs should now be recognized and parsed correctly.Entries in the
sourcesarray in the source map are now treated as URLs instead of file paths. The correct behavior for this is much more clear now that source maps has aformal specification. Many thanks to those who worked on the specification.Fix incorrect package for
@esbuild/netbsd-arm64(#4018)Due to a copy+paste typo, the binary published to
@esbuild/netbsd-arm64was not actually forarm64, and didn't run in that environment. This release should fix running esbuild in that environment (NetBSD on 64-bit ARM). Sorry about the mistake.Fix a minification bug with bitwise operators and bigints (#4065)
This change removes an incorrect assumption in esbuild that all bitwise operators result in a numeric integer. That assumption was correct up until the introduction of bigints in ES2020, but is no longer correct because almost all bitwise operators now operate on both numbers and bigints. Here's an example of the incorrect minification:
Fix esbuild incorrectly rejecting valid TypeScript edge case (#4027)
The following TypeScript code is valid:
Before this version, esbuild would fail to parse this with a syntax error as it expected the token sequence
async as ...to be the start of an async arrow function expressionasync as => .... This edge case should be parsed correctly by esbuild starting with this release.Transform BigInt values into constructor calls when unsupported (#4049)
Previously esbuild would refuse to compile the BigInt literals (such as
123n) if they are unsupported in the configured target environment (such as with--target=es6). The rationale was that they cannot be polyfilled effectively because they change the behavior of JavaScript's arithmetic operators and JavaScript doesn't have operator overloading.However, this prevents using esbuild with certain libraries that would otherwise work if BigInt literals were ignored, such as with old versions of the
bufferlibrary before the library fixed support for running in environments without BigInt support. So with this release, esbuild will now turn BigInt literals into BigInt constructor calls (so123nbecomesBigInt(123)) and generate a warning in this case. You can turn off the warning with--log-override:bigint=silentor restore the warning to an error with--log-override:bigint=errorif needed.Change how
consoleAPI dropping works (#4020)Previously the
--drop:consolefeature replaced all method calls off of theconsoleglobal withundefinedregardless of how long the property access chain was (so it applied toconsole.log()andconsole.log.call(console)andconsole.log.not.a.method()). However, it was pointed out that this breaks uses ofconsole.log.bind(console). That's also incompatible with Terser's implementation of the feature, which is where this feature originally came from (it does supportbind). So with this release, using this feature with esbuild will now only replace one level of method call (unless extended bycallorapply) and will replace the method being called with an empty function in complex cases:This should more closely match Terser's existing behavior.
Allow BigInt literals as
definevaluesWith this release, you can now use BigInt literals as define values, such as with
--define:FOO=123n. Previously trying to do this resulted in a syntax error.Fix a bug with resolve extensions in
node_modules(#4053)The
--resolve-extensions=option lets you specify the order in which to try resolving implicit file extensions. For complicated reasons, esbuild reorders TypeScript file extensions after JavaScript ones inside ofnode_modulesso that JavaScript source code is always preferred to TypeScript source code inside of dependencies. However, this reordering had a bug that could accidentally change the relative order of TypeScript file extensions if one of them was a prefix of the other. That bug has been fixed in this release. You can see the issue for details.Better minification of statically-determined
switchcases (#4028)With this release, esbuild will now try to trim unused code within
switchstatements when the test expression andcaseexpressions are primitive literals. This can arise when the test expression is an identifier that is substituted for a primitive literal at compile time. For example:Emit
/* @​__KEY__ */for string literals derived from property names (#4034)Property name mangling is an advanced feature that shortens certain property names for better minification (I say "advanced feature" because it's very easy to break your code with it). Sometimes you need to store a property name in a string, such as
obj.get('foo')instead ofobj.foo. JavaScript minifiers such as esbuild andTerser have a convention where a/* @​__KEY__ */comment before the string makes it behave like a property name. Soobj.get(/* @​__KEY__ */ 'foo')allows the contents of the string'foo'to be shortened.However, esbuild sometimes itself generates string literals containing property names when transforming code, such as when lowering class fields to ES6 or when transforming TypeScript decorators. Previously esbuild didn't generate its own
/* @​__KEY__ */comments in this case, which means that minifying your code by running esbuild again on its own output wouldn't work correctly (this does not affect people that both minify and transform their code in a single step).With this release, esbuild will now generate
/* @​__KEY__ */comments for property names in generated string literals. To avoid lots of unnecessary output for people that don't use this advanced feature, the generated comments will only be present when the feature is active. If you want to generate the comments but not actually mangle any property names, you can use a flag that has no effect such as--reserve-props=., which tells esbuild to not mangle any property names (but still activates this feature).The
textloader now strips the UTF-8 BOM if present (#3935)Some software (such as Notepad on Windows) can create text files that start with the three bytes
0xEF 0xBB 0xBF, which is referred to as the "byte order mark". This prefix is intended to be removed before using the text. Previously esbuild'stextloader included this byte sequence in the string, which turns into a prefix of\uFEFFin a JavaScript string when decoded from UTF-8. With this release, esbuild'stextloader will now remove these bytes when they occur at the start of the file.Omit legal comment output files when empty (#3670)
Previously configuring esbuild with
--legal-comment=externalor--legal-comment=linkedwould always generate a.LEGAL.txtoutput file even if it was empty. Starting with this release, esbuild will now only do this if the file will be non-empty. This should result in a more organized output directory in some cases.Update Go from 1.23.1 to 1.23.5 (#4056,#4057)
This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain reports from vulnerability scanners that detect which version of the Go compiler esbuild uses.
This PR was contributed by@MikeWillCook.
Allow passing a port of 0 to the development server (#3692)
Unix sockets interpret a port of 0 to mean "pick a random unused port in theephemeral port range". However, esbuild's default behavior when the port is not specified is to pick the first unused port starting from 8000 and upward. This is more convenient because port 8000 is typically free, so you can for example restart the development server and reload your app in the browser without needing to change the port in the URL. Since esbuild is written in Go (which does not have optional fields like JavaScript), not specifying the port in Go means it defaults to 0, so previously passing a port of 0 to esbuild caused port 8000 to be picked.
Starting with this release, passing a port of 0 to esbuild when using the CLI or the JS API will now pass port 0 to the OS, which will pick a random ephemeral port. To make this possible, the
Portoption in the Go API has been changed fromuint16toint(to allow for additional sentinel values) and passing a port of -1 in Go now picks a random port. Both the CLI and JS APIs now remap an explicitly-provided port of 0 into -1 for the internal Go API.Another option would have been to change
Portin Go fromuint16to*uint16(Go's closest equivalent ofnumber | undefined). However, that would make the common case of providing an explicit port in Go very awkward as Go doesn't support taking the address of integer constants. This tradeoff isn't worth it as picking a random ephemeral port is a rare use case. So the CLI and JS APIs should now match standard Unix behavior when the port is 0, but you need to use -1 instead with Go API.Minification now avoids inlining constants with direct
eval(#4055)Direct
evalcan be used to introduce a new variable like this:Previously esbuild inlined
variablehere (which becamefalse), which changed the behavior of the code. This inlining is now avoided, but please keep in mind that directevalbreaks many assumptions that JavaScript tools hold about normal code (especially when bundling) and I do not recommend using it. There are usually better alternatives that have a more localized impact on your code. You can read more about this here:https://esbuild.github.io/link/direct-eval/v0.24.2Compare Source
Fix regression with
--defineandimport.meta(#4010,#4012,#4013)The previous change in version 0.24.1 to use a more expression-like parser for
definevalues to allow quoted property names introduced a regression that removed the ability to use--define:import.meta=.... Even thoughimportis normally a keyword that can't be used as an identifier, ES modules special-case theimport.metaexpression to behave like an identifier anyway. This change fixes the regression.This fix was contributed by@sapphi-red.
v0.24.1Compare Source
Allow
es2024as a target intsconfig.json(#4004)TypeScript recentlyadded
es2024as a compilation target, so esbuild now supports this in thetargetfield oftsconfig.jsonfiles, such as in the following configuration file:{"compilerOptions": {"target":"ES2024" }}As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more inthe documentation.
This fix was contributed by@billyjanitsch.
Allow automatic semicolon insertion after
get/setThis change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:
The above code will be considered valid starting with this release. This change to esbuild follows asimilar change to TypeScript which will allow this syntax starting with TypeScript 5.7.
Allow quoted property names in
--defineand--pure(#4008)The
defineandpureAPI options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes--defineand--pureconsistent with--global-name, which already supported quoted property names. For example, the following is now possible:Note that if you're passing values like this on the command line using esbuild's
--defineflag, then you'll need to know how to escape quote characters for your shell. You may find esbuild's JavaScript API more ergonomic and portable than writing shell code.Minify empty
try/catch/finallyblocks (#4003)With this release, esbuild will now attempt to minify empty
tryblocks:This can sometimes expose additional minification opportunities.
Include
entryPointmetadata for thecopyloader (#3985)Almost all entry points already include a
entryPointfield in theoutputsmap in esbuild's build metadata. However, this wasn't the case for thecopyloader as that loader is a special-case that doesn't behave like other loaders. This release adds theentryPointfield in this case.Source mappings may now contain
nullentries (#3310,#3878)With this change, sources that result in an empty source map may now emit a
nullsource mapping (i.e. one with a generated position but without a source index or original position). This change improves source map accuracy by fixing a problem where minified code from a source without any source mappings could potentially still be associated with a mapping from another source file earlier in the generated output on the same minified line. It manifests as nonsensical files in source mapped stack traces. Now thenullmapping "resets" the source map so that any lookups into the minified code without any mappings resolves tonull(which appears as the output file in stack traces) instead of the incorrect source file.This change shouldn't affect anything in most situations. I'm only mentioning it in the release notes in case it introduces a bug with source mapping. It's part of a work-in-progress future feature that will let you omit certain unimportant files from the generated source map to reduce source map size.
Avoid using the parent directory name for determinism (#3998)
To make generated code more readable, esbuild includes the name of the source file when generating certain variable names within the file. Specifically bundling a CommonJS file generates a variable to store the lazily-evaluated module initializer. However, if a file is named
index.js(or with a different extension), esbuild will use the name of the parent directory instead for a better name (since many packages have files all namedindex.jsbut have unique directory names).This is problematic when the bundle entry point is named
index.jsand the parent directory name is non-deterministic (e.g. a temporary directory created by a build script). To avoid non-determinism in esbuild's output, esbuild will now useindexinstead of the parent directory in this case. Specifically this will happen if the parent directory is equal to esbuild'soutbaseAPI option, which defaults to thelowest common ancestor of all user-specified entry point paths.Experimental support for esbuild on NetBSD (#3974)
With this release, esbuild now has a published binary executable forNetBSD in the
@esbuild/netbsd-arm64npm package, and esbuild's installer has been modified to attempt to use it when on NetBSD. Hopefully this makes installing esbuild via npm work on NetBSD. This change was contributed by@bsiegert.v0.24.0Compare Source
This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of
esbuildin yourpackage.jsonfile (recommended) or be using a version range syntax that only accepts patch upgrades such as^0.23.0or~0.23.0. See npm's documentation aboutsemver for more information.Drop support for older platforms (#3902)
This release drops support for the following operating system:
This is because the Go programming language dropped support for this operating system version in Go 1.23, and this release updates esbuild from Go 1.22 to Go 1.23. Go 1.23 now requires macOS 11 Big Sur or later.
Note that this only affects the binary esbuild executables that are published to the esbuild npm package. It's still possible to compile esbuild's source code for these older operating systems. If you need to, you can compile esbuild for yourself using an older version of the Go compiler (before Go version 1.23). That might look something like this:
Fix class field decorators in TypeScript if
useDefineForClassFieldsisfalse(#3913)Setting the
useDefineForClassFieldsflag tofalseintsconfig.jsonmeans class fields use the legacy TypeScript behavior instead of the standard JavaScript behavior. Specifically they use assign semantics instead of define semantics (e.g. setters are triggered) and fields without an initializer are not initialized at all. However, when this legacy behavior is combined with standard JavaScript decorators, TypeScript switches to always initializing all fields, even those without initializers. Previously esbuild incorrectly continued to omit field initializers for this edge case. These field initializers in this case should now be emitted starting with this release.Avoid incorrect cycle warning with
tsconfig.jsonmultiple inheritance (#3898)TypeScript 5.0 introduced multiple inheritance for
tsconfig.jsonfiles whereextendscan be an array of file paths. Previously esbuild would incorrectly treat files encountered more than once when processing separate subtrees of the multiple inheritance hierarchy as an inheritance cycle. With this release,tsconfig.jsonfiles containing this edge case should work correctly without generating a warning.Handle Yarn Plug'n'Play stack overflow with
tsconfig.json(#3915)Previously a
tsconfig.jsonfile thatextendsanother file in a package with anexportsmap could cause a stack overflow when Yarn's Plug'n'Play resolution was active. This edge case should work now starting with this release.Work around more issues with Deno 1.31+ (#3917)
This version of Deno broke the
stdinandstdoutproperties on command objects for inherited streams, which matters when you run esbuild's Deno module as the entry point (i.e. whenimport.meta.mainistrue). Previously esbuild would crash in Deno 1.31+ if you ran esbuild like that. This should be fixed starting with this release.This fix was contributed by@Joshix-1.
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.