Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
@esbuild/linux-loong64
Advanced tools
The Linux LoongArch 64-bit binary for esbuild, a JavaScript bundler.
This is the Linux LoongArch 64-bit binary for esbuild, a JavaScript bundler and minifier. See https://github.com/evanw/esbuild for details.
0.24.1
Allow es2024
as a target in tsconfig.json
(#4004)
TypeScript recently added es2024
as a compilation target, so esbuild now supports this in the target
field of tsconfig.json
files, such as in the following configuration file:
{
"compilerOptions": {
"target": "ES2024"
}
}
As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.
This fix was contributed by @billyjanitsch.
Allow automatic semicolon insertion after get
/set
This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:
class Foo {
get
*x() {}
set
*y() {}
}
The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.
Allow quoted property names in --define
and --pure
(#4008)
The define
and pure
API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define
and --pure
consistent with --global-name
, which already supported quoted property names. For example, the following is now possible:
// The following code now transforms to "return true;\n"
console.log(esbuild.transformSync(
`return process.env['SOME-TEST-VAR']`,
{ define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
))
Note that if you're passing values like this on the command line using esbuild's --define
flag, then you'll need to know how to escape quote characters for your shell. You may find esbuild's JavaScript API more ergonomic and portable than writing shell code.
Minify empty try
/catch
/finally
blocks (#4003)
With this release, esbuild will now attempt to minify empty try
blocks:
// Original code
try {} catch { foo() } finally { bar() }
// Old output (with --minify)
try{}catch{foo()}finally{bar()}
// New output (with --minify)
bar();
This can sometimes expose additional minification opportunities.
Include entryPoint
metadata for the copy
loader (#3985)
Almost all entry points already include a entryPoint
field in the outputs
map in esbuild's build metadata. However, this wasn't the case for the copy
loader as that loader is a special-case that doesn't behave like other loaders. This release adds the entryPoint
field in this case.
Source mappings may now contain null
entries (#3310, #3878)
With this change, sources that result in an empty source map may now emit a null
source mapping (i.e. one with a generated position but without a source index or original position). This change improves source map accuracy by fixing a problem where minified code from a source without any source mappings could potentially still be associated with a mapping from another source file earlier in the generated output on the same minified line. It manifests as nonsensical files in source mapped stack traces. Now the null
mapping "resets" the source map so that any lookups into the minified code without any mappings resolves to null
(which appears as the output file in stack traces) instead of the incorrect source file.
This change shouldn't affect anything in most situations. I'm only mentioning it in the release notes in case it introduces a bug with source mapping. It's part of a work-in-progress future feature that will let you omit certain unimportant files from the generated source map to reduce source map size.
Avoid using the parent directory name for determinism (#3998)
To make generated code more readable, esbuild includes the name of the source file when generating certain variable names within the file. Specifically bundling a CommonJS file generates a variable to store the lazily-evaluated module initializer. However, if a file is named index.js
(or with a different extension), esbuild will use the name of the parent directory instead for a better name (since many packages have files all named index.js
but have unique directory names).
This is problematic when the bundle entry point is named index.js
and the parent directory name is non-deterministic (e.g. a temporary directory created by a build script). To avoid non-determinism in esbuild's output, esbuild will now use index
instead of the parent directory in this case. Specifically this will happen if the parent directory is equal to esbuild's outbase
API option, which defaults to the lowest common ancestor of all user-specified entry point paths.
Experimental support for esbuild on NetBSD (#3974)
With this release, esbuild now has a published binary executable for NetBSD in the @esbuild/netbsd-arm64
npm package, and esbuild's installer has been modified to attempt to use it when on NetBSD. Hopefully this makes installing esbuild via npm work on NetBSD. This change was contributed by @bsiegert.
⚠️ Note: NetBSD is not one of Node's supported platforms, so installing esbuild may or may not work on NetBSD depending on how Node has been patched. This is not a problem with esbuild. ⚠️
FAQs
The Linux LoongArch 64-bit binary for esbuild, a JavaScript bundler.
The npm package @esbuild/linux-loong64 receives a total of 5,084,546 weekly downloads. As such, @esbuild/linux-loong64 popularity was classified as popular.
We found that @esbuild/linux-loong64 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.