This is a hotfix for the previous release.
-
Move all binary executable packages to the @esbuild/ scope
Binary package executables for esbuild are published as individual packages separate from the main esbuild package so you only have to download the relevant one for the current platform when you install esbuild. This release moves all of these packages under the @esbuild/ scope to avoid collisions with 3rd-party packages. It also changes them to a consistent naming scheme that uses the os and cpu names from node.
The package name changes are as follows:
@esbuild/linux-loong64 => @esbuild/linux-loong64 (no change)esbuild-android-64 => @esbuild/android-x64esbuild-android-arm64 => @esbuild/android-arm64esbuild-darwin-64 => @esbuild/darwin-x64esbuild-darwin-arm64 => @esbuild/darwin-arm64esbuild-freebsd-64 => @esbuild/freebsd-x64esbuild-freebsd-arm64 => @esbuild/freebsd-arm64esbuild-linux-32 => @esbuild/linux-ia32esbuild-linux-64 => @esbuild/linux-x64esbuild-linux-arm => @esbuild/linux-armesbuild-linux-arm64 => @esbuild/linux-arm64esbuild-linux-mips64le => @esbuild/linux-mips64elesbuild-linux-ppc64le => @esbuild/linux-ppc64esbuild-linux-riscv64 => @esbuild/linux-riscv64esbuild-linux-s390x => @esbuild/linux-s390xesbuild-netbsd-64 => @esbuild/netbsd-x64esbuild-openbsd-64 => @esbuild/openbsd-x64esbuild-sunos-64 => @esbuild/sunos-x64esbuild-wasm => esbuild-wasm (no change)esbuild-windows-32 => @esbuild/win32-ia32esbuild-windows-64 => @esbuild/win32-x64esbuild-windows-arm64 => @esbuild/win32-arm64esbuild => esbuild (no change)
Normal usage of the esbuild and esbuild-wasm packages should not be affected. These name changes should only affect tools that hard-coded the individual binary executable package names into custom esbuild downloader scripts.
This change was not made with performance in mind. But as a bonus, installing esbuild with npm may potentially happen faster now. This is because npm's package installation protocol is inefficient: it always downloads metadata for all past versions of each package even when it only needs metadata about a single version. This makes npm package downloads O(n) in the number of published versions, which penalizes packages like esbuild that are updated regularly. Since most of esbuild's package names have now changed, npm will now need to download much less data when installing esbuild (8.72mb of package manifests before this change → 0.06mb of package manifests after this change). However, this is only a temporary improvement. Installing esbuild will gradually get slower again as further versions of esbuild are published.
-
Publish a shell script that downloads esbuild directly
In addition to all of the existing ways to install esbuild, you can now also download esbuild directly like this:
curl -fsSL https://esbuild.github.io/dl/latest | sh
This runs a small shell script that downloads the latest esbuild binary executable to the current directory. This can be convenient on systems that don't have npm installed or when you just want to get a copy of esbuild quickly without any extra steps. If you want a specific version of esbuild (starting with this version onward), you can provide that version in the URL instead of latest:
curl -fsSL https://esbuild.github.io/dl/v0.16.0 | sh
Note that the download script needs to be able to access registry.npmjs.org to be able to complete the download. This download script doesn't yet support all of the platforms that esbuild supports because I lack the necessary testing environments. If the download script doesn't work for you because you're on an unsupported platform, please file an issue on the esbuild repo so we can add support for it.
-
Fix some parameter names for the Go API
This release changes some parameter names for the Go API to be consistent with the JavaScript and CLI APIs:
OutExtensions => OutExtensionJSXMode => JSX
-
Add additional validation of API parameters
The JavaScript API now does some additional validation of API parameters to catch incorrect uses of esbuild's API. The biggest impact of this is likely that esbuild now strictly only accepts strings with the define parameter. This would already have been a type error with esbuild's TypeScript type definitions, but it was previously not enforced for people using esbuild's API JavaScript without TypeScript.
The define parameter appears at first glance to take a JSON object if you aren't paying close attention, but this actually isn't true. Values for define are instead strings of JavaScript code. This means you have to use define: { foo: '"bar"' } to replace foo with the string "bar". Using define: { foo: 'bar' } actually replaces foo with the identifier bar. Previously esbuild allowed you to pass define: { foo: false } and false was automatically converted into a string, which made it more confusing to understand what define actually represents. Starting with this release, passing non-string values such as with define: { foo: false } will no longer be allowed. You will now have to write define: { foo: 'false' } instead.
-
Generate shorter data URLs if possible (#1843)
Loading a file with esbuild's dataurl loader generates a JavaScript module with a data URL for that file in a string as a single default export. Previously the data URLs generated by esbuild all used base64 encoding. However, this is unnecessarily long for most textual data (e.g. SVG images). So with this release, esbuild's dataurl loader will now use percent encoding instead of base64 encoding if the result will be shorter. This can result in ~25% smaller data URLs for large SVGs. If you want the old behavior, you can use the base64 loader instead and then construct the data URL yourself.
-
Avoid marking entry points as external (#2382)
Previously you couldn't specify --external:* to mark all import paths as external because that also ended up making the entry point itself external, which caused the build to fail. With this release, esbuild's external API parameter no longer applies to entry points so using --external:* is now possible.
One additional consequence of this change is that the kind parameter is now required when calling the resolve() function in esbuild's plugin API. Previously the kind parameter defaulted to entry-point, but that no longer interacts with external so it didn't seem wise for this to continue to be the default. You now have to specify kind so that the path resolution mode is explicit.
-
Disallow non-default imports when assert { type: 'json' } is present
There is now standard behavior for importing a JSON file into an ES module using an import statement. However, it requires you to place the assert { type: 'json' } import assertion after the import path. This import assertion tells the JavaScript runtime to throw an error if the import does not end up resolving to a JSON file. On the web, the type of a file is determined by the Content-Type HTTP header instead of by the file extension. The import assertion prevents security problems on the web where a .json file may actually resolve to a JavaScript file containing malicious code, which is likely not expected for an import that is supposed to only contain pure side-effect free data.
By default, esbuild uses the file extension to determine the type of a file, so this import assertion is unnecessary with esbuild. However, esbuild's JSON import feature has a non-standard extension that allows you to import top-level properties of the JSON object as named imports. For example, esbuild lets you do this:
import { version } from './package.json'
This is useful for tree-shaking when bundling because it means esbuild will only include the the version field of package.json in your bundle. This is non-standard behavior though and doesn't match the behavior of what happens when you import JSON in a real JavaScript runtime (after adding assert { type: 'json' }). In a real JavaScript runtime the only thing you can import is the default import. So with this release, esbuild will now prevent you from importing non-default import names if assert { type: 'json' } is present. This ensures that code containing assert { type: 'json' } isn't relying on non-standard behavior that won't work everywhere. So the following code is now an error with esbuild when bundling:
import { version } from './package.json' assert { type: 'json' }
In addition, adding assert { type: 'json' } to an import statement now means esbuild will generate an error if the loader for the file is anything other than json, which is required by the import assertion specification.
-
Provide a way to disable automatic escaping of </script> (#2649)
If you inject esbuild's output into a script tag in an HTML file, code containing the literal characters </script> will cause the tag to be ended early which will break the code:
<script>
console.log("</script>");
</script>
To avoid this, esbuild automatically escapes these strings in generated JavaScript files (e.g. "</script>" becomes "<\/script>" instead). This also applies to </style> in generated CSS files. Previously this always happened and there wasn't a way to turn this off.
With this release, esbuild will now only do this if the platform setting is set to browser (the default value). Setting platform to node or neutral will disable this behavior. This behavior can also now be disabled with --supported:inline-script=false (for JS) and --supported:inline-style=false (for CSS).
-
Throw an early error if decoded UTF-8 text isn't a Uint8Array (#2532)
If you run esbuild's JavaScript API in a broken JavaScript environment where new TextEncoder().encode("") instanceof Uint8Array is false, then esbuild's API will fail with a confusing serialization error message that makes it seem like esbuild has a bug even though the real problem is that the JavaScript environment itself is broken. This can happen when using the test framework called Jest. With this release, esbuild's API will now throw earlier when it detects that the environment is unable to encode UTF-8 text correctly with an error message that makes it more clear that this is not a problem with esbuild.
-
Change the default "legal comment" behavior
The legal comments feature automatically gathers comments containing @license or @preserve and puts the comments somewhere (either in the generated code or in a separate file). People sometimes want this to happen so that the their dependencies' software licenses are retained in the generated output code. By default esbuild puts these comments at the end of the file when bundling. However, people sometimes find this confusing because these comments can be very generic and may not mention which library they come from. So with this release, esbuild will now discard legal comments by default. You now have to opt-in to preserving them if you want this behavior.
-
Enable the module condition by default (#2417)
Package authors want to be able to use the new exports field in package.json to provide tree-shakable ESM code for ESM-aware bundlers while simultaneously providing fallback CommonJS code for other cases.
Node's proposed way to do this involves using the import and require export conditions so that you get the ESM code if you use an import statement and the CommonJS code if you use a require call. However, this has a major drawback: if some code in the bundle uses an import statement and other code in the bundle uses a require call, then you'll get two copies of the same package in the bundle. This is known as the dual package hazard and can lead to bloated bundles or even worse to subtle logic bugs.
Webpack supports an alternate solution: an export condition called module that takes effect regardless of whether the package was imported using an import statement or a require call. This works because bundlers such as Webpack support importing a ESM using a require call (something node doesn't support). You could already do this with esbuild using --conditions=module but you previously had to explicitly enable this. Package authors are concerned that esbuild users won't know to do this and will get suboptimal output with their package, so they have requested for esbuild to do this automatically.
So with this release, esbuild will now automatically add the module condition when there aren't any custom conditions already configured. You can disable this with --conditions= or conditions: [] (i.e. explicitly clearing all custom conditions).
-
Rename the master branch to main
The primary branch for this repository was previously called master but is now called main. This change mirrors a similar change in many other projects.
-
Remove esbuild's _exit(0) hack for WebAssembly (#714)
Node had an unfortunate bug where the node process is unnecessarily kept open while a WebAssembly module is being optimized: https://github.com/nodejs/node/issues/36616. This means cases where running esbuild should take a few milliseconds can end up taking many seconds instead.
The workaround was to force node to exit by ending the process early. This was done by esbuild in one of two ways depending on the exit code. For non-zero exit codes (i.e. when there is a build error), the esbuild command could just call process.kill(process.pid) to avoid the hang. But for zero exit codes, esbuild had to load a N-API native node extension that calls the operating system's exit(0) function.
However, this problem has essentially been fixed in node starting with version 18.3.0. So I have removed this hack from esbuild. If you are using an earlier version of node with esbuild-wasm and you don't want the esbuild command to hang for a while when exiting, you can upgrade to node 18.3.0 or higher to remove the hang.
The fix came from a V8 upgrade: this commit enabled dynamic tiering for WebAssembly by default for all projects that use V8's WebAssembly implementation. Previously all functions in the WebAssembly module were optimized in a single batch job but with dynamic tiering, V8 now optimizes individual WebAssembly functions as needed. This avoids unnecessary WebAssembly compilation which allows node to exit on time.
-
Remove duplicate CSS rules across files (#2688)
When two or more CSS rules are exactly the same (even if they are not adjacent), all but the last one can safely be removed:
/* Before */
a { color: red; }
span { font-weight: bold; }
a { color: red; }
/* After */
span { font-weight: bold; }
a { color: red; }
Previously esbuild only did this transformation within a single source file. But with this release, esbuild will now do this transformation across source files, which may lead to smaller CSS output if the same rules are repeated across multiple CSS source files in the same bundle. This transformation is only enabled when minifying (specifically when syntax minification is enabled).
-
Add deno as a valid value for target (#2686)
The target setting in esbuild allows you to enable or disable JavaScript syntax features for a given version of a set of target JavaScript VMs. Previously Deno was not one of the JavaScript VMs that esbuild supported with target, but it will now be supported starting from this release. For example, versions of Deno older than v1.2 don't support the new ||= operator, so adding e.g. --target=deno1.0 to esbuild now lets you tell esbuild to transpile ||= to older JavaScript.
-
Fix the esbuild-wasm package in Node v19 (#2683)
A recent change to Node v19 added a non-writable crypto property to the global object: https://github.com/nodejs/node/pull/44897. This conflicts with Go's WebAssembly shim code, which overwrites the global crypto property. As a result, all Go-based WebAssembly code that uses the built-in shim (including esbuild) is now broken on Node v19. This release of esbuild fixes the issue by reconfiguring the global crypto property to be writable before invoking Go's WebAssembly shim code.
-
Fix CSS dimension printing exponent confusion edge case (#2677)
In CSS, a dimension token has a numeric "value" part and an identifier "unit" part. For example, the dimension token 32px has a value of 32 and a unit of px. The unit can be any valid CSS identifier. The value can be any number in floating-point format including an optional exponent (e.g. -3.14e-0 has an exponent of e-0). The full details of this syntax are here: https://www.w3.org/TR/css-syntax-3/.
To maintain the integrity of the dimension token through the printing process, esbuild must handle the edge case where the unit looks like an exponent. One such case is the dimension 1e\32 which has the value 1 and the unit e2. It would be bad if this dimension token was printed such that a CSS parser would parse it as a number token with the value 1e2 instead of a dimension token. The way esbuild currently does this is to escape the leading e in the dimension unit, so esbuild would parse 1e\32 but print 1\65 2 (both 1e\32 and 1\65 2 represent a dimension token with a value of 1 and a unit of e2).
However, there is an even narrower edge case regarding this edge case. If the value part of the dimension token itself has an e, then it's not necessary to escape the e in the dimension unit because a CSS parser won't confuse the unit with the exponent even though it looks like one (since a number can only have at most one exponent). This came up because the grammar for the CSS unicode-range property uses a hack that lets you specify a hexadecimal range without quotes even though CSS has no token for a hexadecimal range. The hack is to allow the hexadecimal range to be parsed as a dimension token and optionally also a number token. Here is the grammar for unicode-range:
unicode-range =
<urange>#
<urange> =
u '+' <ident-token> '?'* |
u <dimension-token> '?'* |
u <number-token> '?'* |
u <number-token> <dimension-token> |
u <number-token> <number-token> |
u '+' '?'+
and here is an example unicode-range declaration that was problematic for esbuild:
@​font-face {
unicode-range: U+0e2e-0e2f;
}
This is parsed as a dimension with a value of +0e2 and a unit of e-0e2f. This was problematic for esbuild because the unit starts with e-0 which could be confused with an exponent when appended after a number, so esbuild was escaping the e character in the unit. However, this escaping is unnecessary because in this case the dimension value already has an exponent in it. With this release, esbuild will no longer unnecessarily escape the e in the dimension unit in these cases, which should fix the printing of unicode-range declarations.
An aside: You may be wondering why esbuild is trying to escape the e at all and why it doesn't just pass through the original source code unmodified. The reason why esbuild does this is that, for robustness, esbuild's AST generally tries to omit semantically-unrelated information and esbuild's code printers always try to preserve the semantics of the underlying AST. That way the rest of esbuild's internals can just deal with semantics instead of presentation. They don't have to think about how the AST will be printed when changing the AST. This is the same reason that esbuild's JavaScript AST doesn't have a "parentheses" node (e.g. a * (b + c) is represented by the AST multiply(a, add(b, c)) instead of multiply(a, parentheses(add(b, c)))). Instead, the printer automatically inserts parentheses as necessary to maintain the semantics of the AST, which means all of the optimizations that run over the AST don't have to worry about keeping the parentheses up to date. Similarly, the CSS AST for the dimension token stores the actual unit and the printer makes sure the unit is properly escaped depending on what value it's placed after. All of the other code operating on CSS ASTs doesn't have to worry about parsing escapes to compare units or about keeping escapes up to date when the AST is modified. Hopefully that makes sense.
-
Attempt to avoid creating the node_modules/.cache directory for people that use Yarn 2+ in Plug'n'Play mode (#2685)
When Yarn's PnP mode is enabled, packages installed by Yarn may or may not be put inside .zip files. The specific heuristics for when this happens change over time in between Yarn versions. This is problematic for esbuild because esbuild's JavaScript package needs to execute a binary file inside the package. Yarn makes extensive modifications to Node's file system APIs at run time to pretend that .zip files are normal directories and to make it hard to tell whether a file is real or not (since in theory it doesn't matter). But they haven't modified Node's child_process.execFileSync API so attempting to execute a file inside a zip file fails. To get around this, esbuild previously used Node's file system APIs to copy the binary executable to another location before invoking execFileSync. Under the hood this caused Yarn to extract the file from the zip file into a real file that can then be run.
However, esbuild copied its executable into node_modules/.cache/esbuild. This is the official recommendation from the Yarn team for where packages are supposed to put these types of files when Yarn PnP is being used. However, users of Yarn PnP with esbuild find this really annoying because they don't like looking at the node_modules directory. With this release, esbuild now sets "preferUnplugged": true in its package.json files, which tells newer versions of Yarn to not put esbuild's packages in a zip file. There may exist older versions of Yarn that don't support preferUnplugged. In that case esbuild should still copy the executable to a cache directory, so it should still run (hopefully, since I haven't tested this myself). Note that esbuild setting "preferUnplugged": true may have the side effect of esbuild taking up more space on the file system in the event that multiple platforms are installed simultaneously, or that you're using an older version of Yarn that always installs packages for all platforms. In that case you may want to update to a newer version of Yarn since Yarn has recently changed to only install packages for the current platform.
-
Add support for the TypeScript 4.9 satisfies operator (#2509)
TypeScript 4.9 introduces a new operator called satisfies that lets you check that a given value satisfies a less specific type without casting it to that less specific type and without generating any additional code at run-time. It looks like this:
const value = { foo: 1, bar: false } satisfies Record<string, number | boolean>
console.log(value.foo.toFixed(1)) // TypeScript knows that "foo" is a number here
Before this existed, you could use a cast with as to check that a value satisfies a less specific type, but that removes any additional knowledge that TypeScript has about that specific value:
const value = { foo: 1, bar: false } as Record<string, number | boolean>
console.log(value.foo.toFixed(1)) // TypeScript no longer knows that "foo" is a number
You can read more about this feature in TypeScript's blog post for 4.9 as well as the associated TypeScript issue for this feature.
This feature was implemented in esbuild by @magic-akari.
-
Fix watch mode constantly rebuilding if the parent directory is inaccessible (#2640)
Android is unusual in that it has an inaccessible directory in the path to the root, which esbuild was not originally built to handle. To handle cases like this, the path resolution layer in esbuild has a hack where it treats inaccessible directories as empty. However, esbuild's watch implementation currently triggers a rebuild if a directory previously encountered an error but the directory now exists. The assumption is that the previous error was caused by the directory not existing. Although that's usually the case, it's not the case for this particular parent directory on Android. Instead the error is that the directory previously existed but was inaccessible.
This discrepancy between esbuild's path resolution layer and its watch mode was causing watch mode to rebuild continuously on Android. With this release, esbuild's watch mode instead checks for an error status change in the readdir file system call, so watch mode should no longer rebuild continuously on Android.
-
Apply a fix for a rare deadlock with the JavaScript API (#1842, #2485)
There have been reports of esbuild sometimes exiting with an "all goroutines are asleep" deadlock message from the Go language runtime. This issue hasn't made much progress until recently, where a possible cause was discovered (thanks to @jfirebaugh for the investigation). This release contains a possible fix for that possible cause, so this deadlock may have been fixed. The fix cannot be easily verified because the deadlock is non-deterministic and rare. If this was indeed the cause, then this issue only affected the JavaScript API in situations where esbuild was already in the process of exiting.
In detail: The underlying cause is that Go's sync.WaitGroup API for waiting for a set of goroutines to finish is not fully thread-safe. Specifically it's not safe to call Add() concurrently with Wait() when the wait group counter is zero due to a data race. This situation could come up with esbuild's JavaScript API when the host JavaScript process closes the child process's stdin and the child process (with no active tasks) calls Wait() to check that there are no active tasks, at the same time as esbuild's watchdog timer calls Add() to add an active task (that pings the host to see if it's still there). The fix in this release is to avoid calling Add() once we learn that stdin has been closed but before we call Wait().
7k Jan 4, 2023
7 Nov 16, 2022
1 May 10, 2022
6 Dec 19, 2022
346 Jan 3, 2023
7 Dec 28, 2022
9.8k Jan 2, 2023
34 Nov 22, 2022
7 Oct 30, 2022
5 Feb 28, 2024
1.7k Jan 3, 2023
3.2k Jan 4, 2023
18 Feb 9, 2022
150 Dec 14, 2022
124 Jan 5, 2023
200 Oct 12, 2022
336 Jan 2, 2023
59 Oct 6, 2022