-
Fix process.env.NODE_ENV
substitution when transforming (#2718)
Version 0.16.0 introduced an unintentional regression that caused process.env.NODE_ENV
to be automatically substituted with either "development"
or "production"
when using esbuild's transform
API. This substitution is a necessary feature of esbuild's build
API because the React framework crashes when you bundle it without doing this. But the transform
API is typically used as part of a larger build pipeline so the benefit of esbuild doing this automatically is not as clear, and esbuild previously didn't do this.
However, version 0.16.0 switched the default value of the platform
setting for the transform
API from neutral
to browser
, both to align it with esbuild's documentation (which says browser
is the default value) and because escaping the </script>
character sequence is now tied to the browser
platform (see the release notes for version 0.16.0 for details). That accidentally enabled automatic substitution of process.env.NODE_ENV
because esbuild always did that for code meant for the browser. To fix this regression, esbuild will now only automatically substitute process.env.NODE_ENV
when using the build
API.
-
Prevent define
from substituting constants into assignment position (#2719)
The define
feature lets you replace certain expressions with constants. For example, you could use it to replace references to the global property reference window.DEBUG
with false
at compile time, which can then potentially help esbuild remove unused code from your bundle. It's similar to DefinePlugin in Webpack.
However, if you write code such as window.DEBUG = true
and then defined window.DEBUG
to false
, esbuild previously generated the output false = true
which is a syntax error in JavaScript. This behavior is not typically a problem because it doesn't make sense to substitute window.DEBUG
with a constant if its value changes at run-time (Webpack's DefinePlugin
also generates false = true
in this case). But it can be alarming to have esbuild generate code with a syntax error.
So with this release, esbuild will no longer substitute define
constants into assignment position to avoid generating code with a syntax error. Instead esbuild will generate a warning, which currently looks like this:
▲ [WARNING] Suspicious assignment to defined constant "window.DEBUG" [assign-to-define]
example.js:1:0:
1 │ window.DEBUG = true
╵ ~~~~~~~~~~~~
The expression "window.DEBUG" has been configured to be replaced with a constant using the
"define" feature. If this expression is supposed to be a compile-time constant, then it doesn't
make sense to assign to it here. Or if this expression is supposed to change at run-time, this
"define" substitution should be removed.
-
Fix a regression with npm install --no-optional
(#2720)
Normally when you install esbuild with npm install
, npm itself is the tool that downloads the correct binary executable for the current platform. This happens because of how esbuild's primary package uses npm's optionalDependencies
feature. However, if you deliberately disable this with npm install --no-optional
then esbuild's install script will attempt to repair the installation by manually downloading and extracting the binary executable from the package that was supposed to be installed.
The change in version 0.16.0 to move esbuild's nested packages into the @esbuild/
scope unintentionally broke this logic because of how npm's URL structure is different for scoped packages vs. normal packages. It was actually already broken for a few platforms earlier because esbuild already had packages for some platforms in the @esbuild/
scope, but I didn't discover this then because esbuild's integration tests aren't run on all platforms. Anyway, this release contains some changes to the install script that should hopefully get this scenario working again.
This is a hotfix for the previous release.
-
Move all binary executable packages to the @esbuild/
scope
Binary package executables for esbuild are published as individual packages separate from the main esbuild
package so you only have to download the relevant one for the current platform when you install esbuild. This release moves all of these packages under the @esbuild/
scope to avoid collisions with 3rd-party packages. It also changes them to a consistent naming scheme that uses the os
and cpu
names from node.
The package name changes are as follows:
@esbuild/linux-loong64
=> @esbuild/linux-loong64
(no change)
esbuild-android-64
=> @esbuild/android-x64
esbuild-android-arm64
=> @esbuild/android-arm64
esbuild-darwin-64
=> @esbuild/darwin-x64
esbuild-darwin-arm64
=> @esbuild/darwin-arm64
esbuild-freebsd-64
=> @esbuild/freebsd-x64
esbuild-freebsd-arm64
=> @esbuild/freebsd-arm64
esbuild-linux-32
=> @esbuild/linux-ia32
esbuild-linux-64
=> @esbuild/linux-x64
esbuild-linux-arm
=> @esbuild/linux-arm
esbuild-linux-arm64
=> @esbuild/linux-arm64
esbuild-linux-mips64le
=> @esbuild/linux-mips64el
esbuild-linux-ppc64le
=> @esbuild/linux-ppc64
esbuild-linux-riscv64
=> @esbuild/linux-riscv64
esbuild-linux-s390x
=> @esbuild/linux-s390x
esbuild-netbsd-64
=> @esbuild/netbsd-x64
esbuild-openbsd-64
=> @esbuild/openbsd-x64
esbuild-sunos-64
=> @esbuild/sunos-x64
esbuild-wasm
=> esbuild-wasm
(no change)
esbuild-windows-32
=> @esbuild/win32-ia32
esbuild-windows-64
=> @esbuild/win32-x64
esbuild-windows-arm64
=> @esbuild/win32-arm64
esbuild
=> esbuild
(no change)
Normal usage of the esbuild
and esbuild-wasm
packages should not be affected. These name changes should only affect tools that hard-coded the individual binary executable package names into custom esbuild downloader scripts.
This change was not made with performance in mind. But as a bonus, installing esbuild with npm may potentially happen faster now. This is because npm's package installation protocol is inefficient: it always downloads metadata for all past versions of each package even when it only needs metadata about a single version. This makes npm package downloads O(n) in the number of published versions, which penalizes packages like esbuild that are updated regularly. Since most of esbuild's package names have now changed, npm will now need to download much less data when installing esbuild (8.72mb of package manifests before this change → 0.06mb of package manifests after this change). However, this is only a temporary improvement. Installing esbuild will gradually get slower again as further versions of esbuild are published.
-
Publish a shell script that downloads esbuild directly
In addition to all of the existing ways to install esbuild, you can now also download esbuild directly like this:
curl -fsSL https://esbuild.github.io/dl/latest | sh
This runs a small shell script that downloads the latest esbuild
binary executable to the current directory. This can be convenient on systems that don't have npm
installed or when you just want to get a copy of esbuild quickly without any extra steps. If you want a specific version of esbuild (starting with this version onward), you can provide that version in the URL instead of latest
:
curl -fsSL https://esbuild.github.io/dl/v0.16.0 | sh
Note that the download script needs to be able to access registry.npmjs.org to be able to complete the download. This download script doesn't yet support all of the platforms that esbuild supports because I lack the necessary testing environments. If the download script doesn't work for you because you're on an unsupported platform, please file an issue on the esbuild repo so we can add support for it.
-
Fix some parameter names for the Go API
This release changes some parameter names for the Go API to be consistent with the JavaScript and CLI APIs:
OutExtensions
=> OutExtension
JSXMode
=> JSX
-
Add additional validation of API parameters
The JavaScript API now does some additional validation of API parameters to catch incorrect uses of esbuild's API. The biggest impact of this is likely that esbuild now strictly only accepts strings with the define
parameter. This would already have been a type error with esbuild's TypeScript type definitions, but it was previously not enforced for people using esbuild's API JavaScript without TypeScript.
The define
parameter appears at first glance to take a JSON object if you aren't paying close attention, but this actually isn't true. Values for define
are instead strings of JavaScript code. This means you have to use define: { foo: '"bar"' }
to replace foo
with the string "bar"
. Using define: { foo: 'bar' }
actually replaces foo
with the identifier bar
. Previously esbuild allowed you to pass define: { foo: false }
and false
was automatically converted into a string, which made it more confusing to understand what define
actually represents. Starting with this release, passing non-string values such as with define: { foo: false }
will no longer be allowed. You will now have to write define: { foo: 'false' }
instead.
-
Generate shorter data URLs if possible (#1843)
Loading a file with esbuild's dataurl
loader generates a JavaScript module with a data URL for that file in a string as a single default export. Previously the data URLs generated by esbuild all used base64 encoding. However, this is unnecessarily long for most textual data (e.g. SVG images). So with this release, esbuild's dataurl
loader will now use percent encoding instead of base64 encoding if the result will be shorter. This can result in ~25% smaller data URLs for large SVGs. If you want the old behavior, you can use the base64
loader instead and then construct the data URL yourself.
-
Avoid marking entry points as external (#2382)
Previously you couldn't specify --external:*
to mark all import paths as external because that also ended up making the entry point itself external, which caused the build to fail. With this release, esbuild's external
API parameter no longer applies to entry points so using --external:*
is now possible.
One additional consequence of this change is that the kind
parameter is now required when calling the resolve()
function in esbuild's plugin API. Previously the kind
parameter defaulted to entry-point
, but that no longer interacts with external
so it didn't seem wise for this to continue to be the default. You now have to specify kind
so that the path resolution mode is explicit.
-
Disallow non-default
imports when assert { type: 'json' }
is present
There is now standard behavior for importing a JSON file into an ES module using an import
statement. However, it requires you to place the assert { type: 'json' }
import assertion after the import path. This import assertion tells the JavaScript runtime to throw an error if the import does not end up resolving to a JSON file. On the web, the type of a file is determined by the Content-Type
HTTP header instead of by the file extension. The import assertion prevents security problems on the web where a .json
file may actually resolve to a JavaScript file containing malicious code, which is likely not expected for an import that is supposed to only contain pure side-effect free data.
By default, esbuild uses the file extension to determine the type of a file, so this import assertion is unnecessary with esbuild. However, esbuild's JSON import feature has a non-standard extension that allows you to import top-level properties of the JSON object as named imports. For example, esbuild lets you do this:
import { version } from './package.json'
This is useful for tree-shaking when bundling because it means esbuild will only include the the version
field of package.json
in your bundle. This is non-standard behavior though and doesn't match the behavior of what happens when you import JSON in a real JavaScript runtime (after adding assert { type: 'json' }
). In a real JavaScript runtime the only thing you can import is the default
import. So with this release, esbuild will now prevent you from importing non-default
import names if assert { type: 'json' }
is present. This ensures that code containing assert { type: 'json' }
isn't relying on non-standard behavior that won't work everywhere. So the following code is now an error with esbuild when bundling:
import { version } from './package.json' assert { type: 'json' }
In addition, adding assert { type: 'json' }
to an import statement now means esbuild will generate an error if the loader for the file is anything other than json
, which is required by the import assertion specification.
-
Provide a way to disable automatic escaping of </script>
(#2649)
If you inject esbuild's output into a script tag in an HTML file, code containing the literal characters </script>
will cause the tag to be ended early which will break the code:
<script>
console.log("</script>");
</script>
To avoid this, esbuild automatically escapes these strings in generated JavaScript files (e.g. "</script>"
becomes "<\/script>"
instead). This also applies to </style>
in generated CSS files. Previously this always happened and there wasn't a way to turn this off.
With this release, esbuild will now only do this if the platform
setting is set to browser
(the default value). Setting platform
to node
or neutral
will disable this behavior. This behavior can also now be disabled with --supported:inline-script=false
(for JS) and --supported:inline-style=false
(for CSS).
-
Throw an early error if decoded UTF-8 text isn't a Uint8Array
(#2532)
If you run esbuild's JavaScript API in a broken JavaScript environment where new TextEncoder().encode("") instanceof Uint8Array
is false, then esbuild's API will fail with a confusing serialization error message that makes it seem like esbuild has a bug even though the real problem is that the JavaScript environment itself is broken. This can happen when using the test framework called Jest. With this release, esbuild's API will now throw earlier when it detects that the environment is unable to encode UTF-8 text correctly with an error message that makes it more clear that this is not a problem with esbuild.
-
Change the default "legal comment" behavior
The legal comments feature automatically gathers comments containing @license
or @preserve
and puts the comments somewhere (either in the generated code or in a separate file). People sometimes want this to happen so that the their dependencies' software licenses are retained in the generated output code. By default esbuild puts these comments at the end of the file when bundling. However, people sometimes find this confusing because these comments can be very generic and may not mention which library they come from. So with this release, esbuild will now discard legal comments by default. You now have to opt-in to preserving them if you want this behavior.
-
Enable the module
condition by default (#2417)
Package authors want to be able to use the new exports
field in package.json
to provide tree-shakable ESM code for ESM-aware bundlers while simultaneously providing fallback CommonJS code for other cases.
Node's proposed way to do this involves using the import
and require
export conditions so that you get the ESM code if you use an import statement and the CommonJS code if you use a require call. However, this has a major drawback: if some code in the bundle uses an import statement and other code in the bundle uses a require call, then you'll get two copies of the same package in the bundle. This is known as the dual package hazard and can lead to bloated bundles or even worse to subtle logic bugs.
Webpack supports an alternate solution: an export condition called module
that takes effect regardless of whether the package was imported using an import statement or a require call. This works because bundlers such as Webpack support importing a ESM using a require call (something node doesn't support). You could already do this with esbuild using --conditions=module
but you previously had to explicitly enable this. Package authors are concerned that esbuild users won't know to do this and will get suboptimal output with their package, so they have requested for esbuild to do this automatically.
So with this release, esbuild will now automatically add the module
condition when there aren't any custom conditions
already configured. You can disable this with --conditions=
or conditions: []
(i.e. explicitly clearing all custom conditions).
-
Rename the master
branch to main
The primary branch for this repository was previously called master
but is now called main
. This change mirrors a similar change in many other projects.
-
Remove esbuild's _exit(0)
hack for WebAssembly (#714)
Node had an unfortunate bug where the node process is unnecessarily kept open while a WebAssembly module is being optimized: https://github.com/nodejs/node/issues/36616. This means cases where running esbuild
should take a few milliseconds can end up taking many seconds instead.
The workaround was to force node to exit by ending the process early. This was done by esbuild in one of two ways depending on the exit code. For non-zero exit codes (i.e. when there is a build error), the esbuild
command could just call process.kill(process.pid)
to avoid the hang. But for zero exit codes, esbuild had to load a N-API native node extension that calls the operating system's exit(0)
function.
However, this problem has essentially been fixed in node starting with version 18.3.0. So I have removed this hack from esbuild. If you are using an earlier version of node with esbuild-wasm
and you don't want the esbuild
command to hang for a while when exiting, you can upgrade to node 18.3.0 or higher to remove the hang.
The fix came from a V8 upgrade: this commit enabled dynamic tiering for WebAssembly by default for all projects that use V8's WebAssembly implementation. Previously all functions in the WebAssembly module were optimized in a single batch job but with dynamic tiering, V8 now optimizes individual WebAssembly functions as needed. This avoids unnecessary WebAssembly compilation which allows node to exit on time.
-
Remove duplicate CSS rules across files (#2688)
When two or more CSS rules are exactly the same (even if they are not adjacent), all but the last one can safely be removed:
/* Before */
a { color: red; }
span { font-weight: bold; }
a { color: red; }
/* After */
span { font-weight: bold; }
a { color: red; }
Previously esbuild only did this transformation within a single source file. But with this release, esbuild will now do this transformation across source files, which may lead to smaller CSS output if the same rules are repeated across multiple CSS source files in the same bundle. This transformation is only enabled when minifying (specifically when syntax minification is enabled).
-
Add deno
as a valid value for target
(#2686)
The target
setting in esbuild allows you to enable or disable JavaScript syntax features for a given version of a set of target JavaScript VMs. Previously Deno was not one of the JavaScript VMs that esbuild supported with target
, but it will now be supported starting from this release. For example, versions of Deno older than v1.2 don't support the new ||=
operator, so adding e.g. --target=deno1.0
to esbuild now lets you tell esbuild to transpile ||=
to older JavaScript.
-
Fix the esbuild-wasm
package in Node v19 (#2683)
A recent change to Node v19 added a non-writable crypto
property to the global object: https://github.com/nodejs/node/pull/44897. This conflicts with Go's WebAssembly shim code, which overwrites the global crypto
property. As a result, all Go-based WebAssembly code that uses the built-in shim (including esbuild) is now broken on Node v19. This release of esbuild fixes the issue by reconfiguring the global crypto
property to be writable before invoking Go's WebAssembly shim code.
-
Fix CSS dimension printing exponent confusion edge case (#2677)
In CSS, a dimension token has a numeric "value" part and an identifier "unit" part. For example, the dimension token 32px
has a value of 32
and a unit of px
. The unit can be any valid CSS identifier. The value can be any number in floating-point format including an optional exponent (e.g. -3.14e-0
has an exponent of e-0
). The full details of this syntax are here: https://www.w3.org/TR/css-syntax-3/.
To maintain the integrity of the dimension token through the printing process, esbuild must handle the edge case where the unit looks like an exponent. One such case is the dimension 1e\32
which has the value 1
and the unit e2
. It would be bad if this dimension token was printed such that a CSS parser would parse it as a number token with the value 1e2
instead of a dimension token. The way esbuild currently does this is to escape the leading e
in the dimension unit, so esbuild would parse 1e\32
but print 1\65 2
(both 1e\32
and 1\65 2
represent a dimension token with a value of 1
and a unit of e2
).
However, there is an even narrower edge case regarding this edge case. If the value part of the dimension token itself has an e
, then it's not necessary to escape the e
in the dimension unit because a CSS parser won't confuse the unit with the exponent even though it looks like one (since a number can only have at most one exponent). This came up because the grammar for the CSS unicode-range
property uses a hack that lets you specify a hexadecimal range without quotes even though CSS has no token for a hexadecimal range. The hack is to allow the hexadecimal range to be parsed as a dimension token and optionally also a number token. Here is the grammar for unicode-range
:
unicode-range =
<urange>#
<urange> =
u '+' <ident-token> '?'* |
u <dimension-token> '?'* |
u <number-token> '?'* |
u <number-token> <dimension-token> |
u <number-token> <number-token> |
u '+' '?'+
and here is an example unicode-range
declaration that was problematic for esbuild:
@​font-face {
unicode-range: U+0e2e-0e2f;
}
This is parsed as a dimension with a value of +0e2
and a unit of e-0e2f
. This was problematic for esbuild because the unit starts with e-0
which could be confused with an exponent when appended after a number, so esbuild was escaping the e
character in the unit. However, this escaping is unnecessary because in this case the dimension value already has an exponent in it. With this release, esbuild will no longer unnecessarily escape the e
in the dimension unit in these cases, which should fix the printing of unicode-range
declarations.
An aside: You may be wondering why esbuild is trying to escape the e
at all and why it doesn't just pass through the original source code unmodified. The reason why esbuild does this is that, for robustness, esbuild's AST generally tries to omit semantically-unrelated information and esbuild's code printers always try to preserve the semantics of the underlying AST. That way the rest of esbuild's internals can just deal with semantics instead of presentation. They don't have to think about how the AST will be printed when changing the AST. This is the same reason that esbuild's JavaScript AST doesn't have a "parentheses" node (e.g. a * (b + c)
is represented by the AST multiply(a, add(b, c))
instead of multiply(a, parentheses(add(b, c)))
). Instead, the printer automatically inserts parentheses as necessary to maintain the semantics of the AST, which means all of the optimizations that run over the AST don't have to worry about keeping the parentheses up to date. Similarly, the CSS AST for the dimension token stores the actual unit and the printer makes sure the unit is properly escaped depending on what value it's placed after. All of the other code operating on CSS ASTs doesn't have to worry about parsing escapes to compare units or about keeping escapes up to date when the AST is modified. Hopefully that makes sense.
-
Attempt to avoid creating the node_modules/.cache
directory for people that use Yarn 2+ in Plug'n'Play mode (#2685)
When Yarn's PnP mode is enabled, packages installed by Yarn may or may not be put inside .zip
files. The specific heuristics for when this happens change over time in between Yarn versions. This is problematic for esbuild because esbuild's JavaScript package needs to execute a binary file inside the package. Yarn makes extensive modifications to Node's file system APIs at run time to pretend that .zip
files are normal directories and to make it hard to tell whether a file is real or not (since in theory it doesn't matter). But they haven't modified Node's child_process.execFileSync
API so attempting to execute a file inside a zip file fails. To get around this, esbuild previously used Node's file system APIs to copy the binary executable to another location before invoking execFileSync
. Under the hood this caused Yarn to extract the file from the zip file into a real file that can then be run.
However, esbuild copied its executable into node_modules/.cache/esbuild
. This is the official recommendation from the Yarn team for where packages are supposed to put these types of files when Yarn PnP is being used. However, users of Yarn PnP with esbuild find this really annoying because they don't like looking at the node_modules
directory. With this release, esbuild now sets "preferUnplugged": true
in its package.json
files, which tells newer versions of Yarn to not put esbuild's packages in a zip file. There may exist older versions of Yarn that don't support preferUnplugged
. In that case esbuild should still copy the executable to a cache directory, so it should still run (hopefully, since I haven't tested this myself). Note that esbuild setting "preferUnplugged": true
may have the side effect of esbuild taking up more space on the file system in the event that multiple platforms are installed simultaneously, or that you're using an older version of Yarn that always installs packages for all platforms. In that case you may want to update to a newer version of Yarn since Yarn has recently changed to only install packages for the current platform.