Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
esbuild
Advanced tools
Package description
esbuild is a fast JavaScript bundler and minifier. It compiles TypeScript and JavaScript into a single file, minifies it, and can also handle CSS and image assets. It's designed for speed and efficiency, utilizing parallelism and native Go code to achieve its performance.
Bundling JavaScript
This code bundles 'app.js' and its dependencies into a single file 'out.js'.
require('esbuild').build({
entryPoints: ['app.js'],
bundle: true,
outfile: 'out.js'
}).catch(() => process.exit(1))
Minifying JavaScript
This code minifies 'app.js' to reduce file size and improve load times.
require('esbuild').build({
entryPoints: ['app.js'],
minify: true,
outfile: 'out.js'
}).catch(() => process.exit(1))
Transpiling TypeScript
This code compiles a TypeScript file 'app.ts' into JavaScript and bundles it into 'out.js'.
require('esbuild').build({
entryPoints: ['app.ts'],
bundle: true,
outfile: 'out.js'
}).catch(() => process.exit(1))
Serving files for development
This code starts a local server to serve files from the 'public' directory and bundles 'app.js' into 'public/out.js'.
require('esbuild').serve({
servedir: 'public',
port: 8000
}, {
entryPoints: ['app.js'],
bundle: true,
outfile: 'public/out.js'
}).then(server => {
// Server started
})
Webpack is a powerful and widely-used module bundler. It offers a rich plugin ecosystem and a highly configurable build process. Compared to esbuild, webpack is more mature with more features but is generally slower due to its JavaScript-based architecture.
Rollup is another JavaScript module bundler that focuses on producing efficient bundles for modern module formats like ES modules. It's known for its tree-shaking capabilities. Rollup is typically faster than webpack but slower than esbuild.
Parcel is a web application bundler that offers zero configuration out-of-the-box. It's faster than webpack and rollup but generally not as fast as esbuild. Parcel has a simpler user experience but may not be as flexible for complex configurations.
Terser is a JavaScript parser, mangler, and compressor toolkit for ES6+. It's often used for minifying JavaScript code. While esbuild also minifies code, terser is a dedicated tool for this purpose and can be used alongside other bundlers.
Changelog
0.17.19
Fix CSS transform bugs with nested selectors that start with a combinator (#3096)
This release fixes several bugs regarding transforming nested CSS into non-nested CSS for older browsers. The bugs were due to lack of test coverage for nested selectors with more than one compound selector where they all start with the same combinator. Here's what some problematic cases look like before and after these fixes:
/* Original code */
.foo {
> &a,
> &b {
color: red;
}
}
.bar {
> &a,
+ &b {
color: green;
}
}
/* Old output (with --target=chrome90) */
.foo :is(> .fooa, > .foob) {
color: red;
}
.bar :is(> .bara, + .barb) {
color: green;
}
/* New output (with --target=chrome90) */
.foo > :is(a.foo, b.foo) {
color: red;
}
.bar > a.bar,
.bar + b.bar {
color: green;
}
Fix bug with TypeScript parsing of instantiation expressions followed by =
(#3111)
This release fixes esbuild's TypeScript-to-JavaScript conversion code in the case where a potential instantiation expression is followed immediately by a =
token (such that the trailing >
becomes a >=
token). Previously esbuild considered that to still be an instantiation expression, but the official TypeScript compiler considered it to be a >=
operator instead. This release changes esbuild's interpretation to match TypeScript. This edge case currently appears to be problematic for other TypeScript-to-JavaScript converters as well:
| Original code | TypeScript | esbuild 0.17.18 | esbuild 0.17.19 | Sucrase | Babel |
|---|---|---|---|---|---|
| x<y>=a<b<c>>()
| x<y>=a();
| x=a();
| x<y>=a();
| x=a()
| Invalid left-hand side in assignment expression |
Avoid removing unrecognized directives from the directive prologue when minifying (#3115)
The directive prologue in JavaScript is a sequence of top-level string expressions that come before your code. The only directives that JavaScript engines currently recognize are use strict
and sometimes use asm
. However, the people behind React have made up their own directive for their own custom dialect of JavaScript. Previously esbuild only preserved the use strict
directive when minifying, although you could still write React JavaScript with esbuild using something like --banner:js="'your directive here';"
. With this release, you can now put arbitrary directives in the entry point and esbuild will preserve them in its minified output:
// Original code
'use wtf'; console.log(123)
// Old output (with --minify)
console.log(123);
// New output (with --minify)
"use wtf";console.log(123);
Note that this means esbuild will no longer remove certain stray top-level strings when minifying. This behavior is an intentional change because these stray top-level strings are actually part of the directive prologue, and could potentially have semantics assigned to them (as was the case with React).
Improved minification of binary shift operators
With this release, esbuild's minifier will now evaluate the <<
and >>>
operators if the resulting code would be shorter:
// Original code
console.log(10 << 10, 10 << 20, -123 >>> 5, -123 >>> 10);
// Old output (with --minify)
console.log(10<<10,10<<20,-123>>>5,-123>>>10);
// New output (with --minify)
console.log(10240,10<<20,-123>>>5,4194303);
Readme
This is a JavaScript bundler and minifier. See https://github.com/evanw/esbuild and the JavaScript API documentation for details.
FAQs
An extremely fast JavaScript and CSS bundler and minifier.
The npm package esbuild receives a total of 26,857,205 weekly downloads. As such, esbuild popularity was classified as popular.
We found that esbuild demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.