uglify-js - npm Package Compare versions

Comparing version 3.16.3 to 3.17.0

lib/minify.js

@@ -79,2 +79,3 @@ "use strict";
             enclose: false,
+            expression: false,
             ie: false,
@@ -102,2 +103,3 @@ ie8: false,
         if (options.annotations !== undefined) set_shorthand("annotations", options, [ "compress", "output" ]);
+        if (options.expression) set_shorthand("expression", options, [ "compress", "parse" ]);
         if (options.ie8) options.ie = options.ie || options.ie8;
@@ -158,9 +160,7 @@ if (options.ie) set_shorthand("ie", options, [ "compress", "mangle", "output", "rename" ]);
         var toplevel;
-        if (files instanceof AST_Toplevel) {
+        options.parse = options.parse || {};
+        if (files instanceof AST_Node) {
             toplevel = files;
         } else {
-            if (typeof files == "string") {
-                files = [ files ];
-            }
-            options.parse = options.parse || {};
+            if (typeof files == "string") files = [ files ];
             options.parse.toplevel = null;
@@ -177,5 +177,3 @@ var source_map_content = options.sourceMap && options.sourceMap.content;
                     var inlined_content = read_source_map(name, toplevel);
-                    if (inlined_content) {
-                        options.sourceMap.orig[name] = parse_source_map(inlined_content);
-                    }
+                    if (inlined_content) options.sourceMap.orig[name] = parse_source_map(inlined_content);
                 } else if (source_map_content) {
@@ -186,5 +184,4 @@ options.sourceMap.orig[name] = source_map_content;
         }
-        if (quoted_props) {
-            reserve_quoted_keys(toplevel, quoted_props);
-        }
+        if (options.parse.expression) toplevel = toplevel.wrap_expression();
+        if (quoted_props) reserve_quoted_keys(toplevel, quoted_props);
         [ "enclose", "wrap" ].forEach(function(action) {
@@ -217,2 +214,3 @@ var option = options[action];
         if (options.mangle && options.mangle.properties) mangle_properties(toplevel, options.mangle.properties);
+        if (options.parse.expression) toplevel = toplevel.unwrap_expression();
         if (timings) timings.output = Date.now();
@@ -219,0 +217,0 @@ var result = {};

lib/propmangle.js

@@ -46,6 +46,7 @@ /***********************************************************************
 
-var builtins = function() {
+function get_builtins() {
     var names = new Dictionary();
-    // NaN will be included due to Number.NaN
+    // constants
     [
+        "NaN",
         "null",
@@ -58,21 +59,63 @@ "true",
     ].forEach(add);
+    // global functions
     [
-        Array,
-        Boolean,
-        Date,
-        Error,
-        Function,
-        Math,
-        Number,
-        Object,
-        RegExp,
-        String,
-    ].forEach(function(ctor) {
+        "encodeURI",
+        "encodeURIComponent",
+        "escape",
+        "eval",
+        "decodeURI",
+        "decodeURIComponent",
+        "isFinite",
+        "isNaN",
+        "parseFloat",
+        "parseInt",
+        "unescape",
+    ].forEach(add);
+    // global constructors & objects
+    var global = Function("return this")();
+    [
+        "Array",
+        "ArrayBuffer",
+        "Atomics",
+        "BigInt",
+        "Boolean",
+        "console",
+        "DataView",
+        "Date",
+        "Error",
+        "Function",
+        "Int8Array",
+        "Intl",
+        "JSON",
+        "Map",
+        "Math",
+        "Number",
+        "Object",
+        "Promise",
+        "Proxy",
+        "Reflect",
+        "RegExp",
+        "Set",
+        "String",
+        "Symbol",
+        "WebAssembly",
+    ].forEach(function(name) {
+        add(name);
+        var ctor = global[name];
+        if (!ctor) return;
         Object.getOwnPropertyNames(ctor).map(add);
-        if (ctor.prototype) {
+        if (typeof ctor != "function") return;
+        if (ctor.__proto__) Object.getOwnPropertyNames(ctor.__proto__).map(add);
+        if (ctor.prototype) Object.getOwnPropertyNames(ctor.prototype).map(add);
+        try {
             Object.getOwnPropertyNames(new ctor()).map(add);
-            Object.getOwnPropertyNames(ctor.prototype).map(add);
+        } catch (e) {
+            try {
+                Object.getOwnPropertyNames(ctor()).map(add);
+            } catch (e) {}
         }
     });
-    return names;
+    return (get_builtins = function() {
+        return names.clone();
+    })();
 
@@ -82,3 +125,3 @@ function add(name) {
     }
-}();
+}
 
@@ -122,3 +165,3 @@ function reserve_quoted_keys(ast, reserved) {
 
-    var reserved = options.builtins ? new Dictionary() : builtins.clone();
+    var reserved = options.builtins ? new Dictionary() : get_builtins();
     if (Array.isArray(options.reserved)) options.reserved.forEach(function(name) {
@@ -125,0 +168,0 @@ reserved.set(name, true);

lib/scope.js

@@ -289,3 +289,3 @@ /***********************************************************************
                 if (redef) for (var s = node.scope; s; s = s.parent_scope) {
-                    push_uniq(s.enclosed, redef);
+                    if (!push_uniq(s.enclosed, redef)) break;
                     if (s === redef.scope) break;
@@ -484,3 +484,3 @@ }
     for (var s = this.scope; s; s = s.parent_scope) {
-        push_uniq(s.enclosed, def);
+        if (!push_uniq(s.enclosed, def)) break;
         if (!options) {
@@ -709,3 +709,8 @@ s._var_names = undefined;
         def.references.forEach(reference);
-        if (sym instanceof AST_SymbolCatch || sym instanceof AST_SymbolConst) reference(sym);
+        if (sym instanceof AST_SymbolCatch || sym instanceof AST_SymbolConst) {
+            reference(sym);
+            def.redefined = function() {
+                return redef;
+            };
+        }
         return true;
@@ -712,0 +717,0 @@

lib/utils.js

@@ -130,4 +130,6 @@ /***********************************************************************
     return text.replace(/\{([^{}]+)\}/g, function(str, p) {
-        var value = props[p];
-        return value instanceof AST_Node ? value.print_to_string() : value;
+        var value = p == "this" ? props : props[p];
+        if (value instanceof AST_Node) return value.print_to_string();
+        if (value instanceof AST_Token) return value.file + ":" + value.line + "," + value.col;
+        return value;
     });
@@ -134,0 +136,0 @@ }

package.json

@@ -6,3 +6,3 @@ {
   "license": "BSD-2-Clause",
-  "version": "3.16.3",
+  "version": "3.17.0",
   "engines": {
@@ -9,0 +9,0 @@ "node": ">=0.8.0"

README.md

@@ -57,4 +57,2 @@ UglifyJS 3
                                                 by the .user.js engine `caller`.
-                                `expression`  Parse a single expression, rather than
-                                              a program (for parsing JSON).
                                 `spidermonkey`  Assume input files are SpiderMonkey
@@ -115,2 +113,4 @@ AST format (as JSON).
                                 argument(s) & value(s).
+    --expression                Parse a single expression, rather than a program
+                                (for parsing JSON).
     --ie                        Support non-standard Internet Explorer.
@@ -509,2 +509,4 @@ Equivalent to setting `ie: true` in `minify()`
 
+- `expression` (default: `false`) — parse as a single expression, e.g. JSON.
+
 - `ie` (default: `false`) — enable workarounds for Internet Explorer bugs.
@@ -639,4 +641,2 @@
 
-- `expression` (default: `false`) — parse as a single expression, e.g. JSON
-
 - `html5_comments` (default: `true`) — process HTML comment as workaround for
@@ -643,0 +643,0 @@ browsers which do not recognise `<script>` tags

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Fixed alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1271989

0.33%

Lines of code

31817

0.26%

Worsened metrics

Number of medium supply chain risk alerts

6

20%

No dependency changes