Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update all non-major dependencies #36

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update all non-major dependencies #36

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 22, 2024
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@babel/types (source) ^7.24.0 -> ^7.24.7 age adoption passing confidence
@sxzz/eslint-config ^3.9.1 -> ^3.12.1 age adoption passing confidence
@types/node (source) ^20.12.7 -> ^20.14.2 age adoption passing confidence
ast-kit ^0.12.1 -> ^0.12.2 age adoption passing confidence
bumpp ^9.4.0 -> ^9.4.1 age adoption passing confidence
esbuild ^0.20.2 -> ^0.21.5 age adoption passing confidence
eslint (source) ^9.0.0 -> ^9.4.0 age adoption passing confidence
magic-string-ast ^0.5.0 -> ^0.6.1 age adoption passing confidence
pnpm (source) 9.0.1 -> 9.3.0 age adoption passing confidence
prettier (source) ^3.2.5 -> ^3.3.2 age adoption passing confidence
rollup (source) ^4.14.3 -> ^4.18.0 age adoption passing confidence
tsup (source) ^8.0.2 -> ^8.1.0 age adoption passing confidence
tsx ^4.7.2 -> ^4.15.2 age adoption passing confidence
vite (source) ^5.2.9 -> ^5.2.13 age adoption passing confidence
vite-node (source) ^1.5.0 -> ^1.6.0 age adoption passing confidence
vitest (source) ^1.5.0 -> ^1.6.0 age adoption passing confidence
vue (source) ^3.4.23 -> ^3.4.27 age adoption passing confidence

Release Notes

babel/babel (@​babel/types)

v7.24.7

Compare Source

🐛 Bug Fix
🏠 Internal
  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

v7.24.6

Compare Source

🐛 Bug Fix
  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • babel-parser, babel-plugin-transform-typescript
🏠 Internal
  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

v7.24.5

Compare Source

🐛 Bug Fix
💅 Polish
🏠 Internal
  • Other
  • babel-parser
  • babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • babel-plugin-proposal-partial-application, babel-types
  • babel-plugin-transform-class-properties, babel-preset-env
🏃‍♀️ Performance
  • babel-helpers, babel-preset-env, babel-runtime-corejs3
sxzz/eslint-config (@​sxzz/eslint-config)

v3.12.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.12.0

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v3.11.0

Compare Source

   🚀 Features
    View changes on GitHub

v3.10.1

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v3.10.0

Compare Source

   🚨 Breaking Changes
   🐞 Bug Fixes
    View changes on GitHub
sxzz/ast-kit (ast-kit)

v0.12.2

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub
antfu/bumpp (bumpp)

v9.4.1

Compare Source

evanw/esbuild (esbuild)

v0.21.5

Compare Source

  • Fix Symbol.metadata on classes without a class decorator (#​3781)

    This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

  • Allow unknown import attributes to be used with the copy loader (#​3792)

    Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

    // This is an error with "--bundle" without also using "--external:./bagel.js"
import tasty from "./bagel.js" with { type: "bagel" }

    Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

    However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

    // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
import tasty from "./tasty.bagel" with { type: "bagel" }

  • Support import attributes with glob-style imports (#​3797)

    This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

    async function loadLocale(locale: string): Locale {
  const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
  return unpackLocale(locale, data)
}

    Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

    ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data

    example.ts:2:28:
      2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
        ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~

    In addition, this change means plugins can now access the contents of with for glob-style imports.

  • Support ${configDir} in tsconfig.json files (#​3782)

    This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

    {
  "compilerOptions": {
    "paths": {
      "js/*": ["${configDir}/dist/js/*"]
    }
  }
}

    You can read more in TypeScript's blog post about their upcoming 5.5 release. Note that this feature does not make use of template literals (you need to use "${configDir}/dist/js/*" not `${configDir}/dist/js/*`). The syntax for tsconfig.json is still just JSON with comments, and JSON syntax does not allow template literals. This feature only recognizes ${configDir} in strings for certain path-like properties, and only at the beginning of the string.

  • Fix internal error with --supported:object-accessors=false (#​3794)

    This release fixes a regression in 0.21.0 where some code that was added to esbuild's internal runtime library of helper functions for JavaScript decorators fails to parse when you configure esbuild with --supported:object-accessors=false. The reason is that esbuild introduced code that does { get [name]() {} } which uses both the object-extensions feature for the [name] and the object-accessors feature for the get, but esbuild was incorrectly only checking for object-extensions and not for object-accessors. Additional tests have been added to avoid this type of issue in the future. A workaround for this issue in earlier releases is to also add --supported:object-extensions=false.

v0.21.4

Compare Source

  • Update support for import assertions and import attributes in node (#​3778)

    Import assertions (the assert keyword) have been removed from node starting in v22.0.0. So esbuild will now strip them and generate a warning with --target=node22 or above:

    ▲ [WARNING] The "assert" keyword is not supported in the configured target environment ("node22") [assert-to-with]

    example.mjs:1:40:
      1 │ import json from "esbuild/package.json" assert { type: "json" }
        │                                         ~~~~~~
        ╵                                         with

  Did you mean to use "with" instead of "assert"?

    Import attributes (the with keyword) have been backported to node 18 starting in v18.20.0. So esbuild will no longer strip them with --target=node18.N if N is 20 or greater.

  • Fix for await transform when a label is present

    This release fixes a bug where the for await transform, which wraps the loop in a try statement, previously failed to also move the loop's label into the try statement. This bug only affects code that uses both of these features in combination. Here's an example of some affected code:

    // Original code
async function test() {
  outer: for await (const x of [Promise.resolve([0, 1])]) {
    for (const y of x) if (y) break outer
    throw 'fail'
  }
}

// Old output (with --target=es6)
function test() {
  return __async(this, null, function* () {
    outer: try {
      for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
        const x = temp.value;
        for (const y of x) if (y) break outer;
        throw "fail";
      }
    } catch (temp) {
      error = [temp];
    } finally {
      try {
        more && (temp = iter.return) && (yield temp.call(iter));
      } finally {
        if (error)
          throw error[0];
      }
    }
  });
}

// New output (with --target=es6)
function test() {
  return __async(this, null, function* () {
    try {
      outer: for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
        const x = temp.value;
        for (const y of x) if (y) break outer;
        throw "fail";
      }
    } catch (temp) {
      error = [temp];
    } finally {
      try {
        more && (temp = iter.return) && (yield temp.call(iter));
      } finally {
        if (error)
          throw error[0];
      }
    }
  });
}

  • Do additional constant folding after cross-module enum inlining (#​3416, #​3425)

    This release adds a few more cases where esbuild does constant folding after cross-module enum inlining.

    // Original code: enum.ts
export enum Platform {
  WINDOWS = 'windows',
  MACOS = 'macos',
  LINUX = 'linux',
}

// Original code: main.ts
import { Platform } from './enum';
declare const PLATFORM: string;
export function logPlatform() {
  if (PLATFORM == Platform.WINDOWS) console.log('Windows');
  else if (PLATFORM == Platform.MACOS) console.log('macOS');
  else if (PLATFORM == Platform.LINUX) console.log('Linux');
  else console.log('Other');
}

// Old output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
function n(){"windows"=="macos"?console.log("Windows"):"macos"=="macos"?console.log("macOS"):"linux"=="macos"?console.log("Linux"):console.log("Other")}export{n as logPlatform};

// New output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
function n(){console.log("macOS")}export{n as logPlatform};

  • Pass import attributes to on-resolve plugins (#​3384, #​3639, #​3646)

    With this release, on-resolve plugins will now have access to the import attributes on the import via the with property of the arguments object. This mirrors the with property of the arguments object that's already passed to on-load plugins. In addition, you can now pass with to the resolve() API call which will then forward that value on to all relevant plugins. Here's an example of a plugin that can now be written:

    const examplePlugin = {
  name: 'Example plugin',
  setup(build) {
    build.onResolve({ filter: /.*/ }, args => {
      if (args.with.type === 'external')
        return { external: true }
    })
  }
}

require('esbuild').build({
  stdin: {
    contents: `
      import foo from "./foo" with { type: "external" }
      foo()
    `,
  },
  bundle: true,
  format: 'esm',
  write: false,
  plugins: [examplePlugin],
}).then(result => {
  console.log(result.outputFiles[0].text)
})

  • Formatting support for the @position-try rule (#​3773)

    Chrome shipped this new CSS at-rule in version 125 as part of the CSS anchor positioning API. With this release, esbuild now knows to expect a declaration list inside of the @position-try body block and will format it appropriately.

  • Always allow internal string import and export aliases (#​3343)

    Import and export names can be string literals in ES2022+. Previously esbuild forbid any usage of these aliases when the target was below ES2022. Starting with this release, esbuild will only forbid such usage when the alias would otherwise end up in output as a string literal. String literal aliases that are only used internally in the bundle and are "compiled away" are no longer errors. This makes it possible to use string literal aliases with esbuild's inject feature even when the target is earlier than ES2022.

v0.21.3

Compare Source

  • Implement the decorator metadata proposal (#​3760)

    This release implements the decorator metadata proposal, which is a sub-proposal of the decorators proposal. Microsoft shipped the decorators proposal in TypeScript 5.0 and the decorator metadata proposal in TypeScript 5.2, so it's important that esbuild also supports both of these features. Here's a quick example:

    // Shim the "Symbol.metadata" symbol
Symbol.metadata ??= Symbol('Symbol.metadata')

const track = (_, context) => {
  (context.metadata.names ||= []).push(context.name)
}

class Foo {
  @​track foo = 1
  @​track bar = 2
}

// Prints ["foo", "bar"]
console.log(Foo[Symbol.metadata].names)

    ⚠️ WARNING ⚠️

    This proposal has been marked as "stage 3" which means "recommended for implementation". However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorator metadata may need to be updated as the feature continues to evolve. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Fix bundled decorators in derived classes (#​3768)

    In certain cases, bundling code that uses decorators in a derived class with a class body that references its own class name could previously generate code that crashes at run-time due to an incorrect variable name. This problem has been fixed. Here is an example of code that was compiled incorrectly before this fix:

    class Foo extends Object {
  @​(x => x) foo() {
    return Foo
  }
}
console.log(new Foo().foo())

  • Fix tsconfig.json files inside symlinked directories (#​3767)

    This release fixes an issue with a scenario involving a tsconfig.json file that extends another file from within a symlinked directory that uses the paths feature. In that case, the implicit baseURL value should be based on the real path (i.e. after expanding all symbolic links) instead of the original path. This was already done for other files that esbuild resolves but was not yet done for tsconfig.json because it's special-cased (the regular path resolver can't be used because the information inside tsconfig.json is involved in path resolution). Note that this fix no longer applies if the --preserve-symlinks setting is enabled.

v0.21.2

Compare Source

  • Correct this in field and accessor decorators (#​3761)

    This release changes the value of this in initializers for class field and accessor decorators from the module-level this value to the appropriate this value for the decorated element (either the class or the instance). It was previously incorrect due to lack of test coverage. Here's an example of a decorator that doesn't work without this change:

    const dec = () => function() { this.bar = true }
class Foo { @​dec static foo }
console.log(Foo.bar) // Should be "true"

  • Allow es2023 as a target environment (#​3762)

    TypeScript recently added es2023 as a compilation target, so esbuild now supports this too. There is no difference between a target of es2022 and es2023 as far as esbuild is concerned since the 2023 edition of JavaScript doesn't introduce any new syntax features.

v0.21.1

Compare Source

  • Fix a regression with --keep-names (#​3756)

    The previous release introduced a regression with the --keep-names setting and object literals with get/set accessor methods, in which case the generated code contained syntax errors. This release fixes the regression:

    // Original code
x = { get y() {} }

// Output from version 0.21.0 (with --keep-names)
x = { get y: /* @​__PURE__ */ __name(function() {
}, "y") };

// Output from this version (with --keep-names)
x = { get y() {
} };

v0.21.0

Compare Source

This release doesn't contain any deliberately-breaking changes. However, it contains a very complex new feature and while all of esbuild's tests pass, I would not be surprised if an important edge case turns out to be broken. So I'm releasing this as a breaking change release to avoid causing any trouble. As usual, make sure to test your code when you upgrade.

  • Implement the JavaScript decorators proposal (#​104)

    With this release, esbuild now contains an implementation of the upcoming JavaScript decorators proposal. This is the same feature that shipped in TypeScript 5.0 and has been highly-requested on esbuild's issue tracker. You can read more about them in that blog post and in this other (now slightly outdated) extensive blog post here: https://2ality.com/2022/10/javascript-decorators.html. Here's a quick example:

    const log = (fn, context) => function() {
  console.log(`before ${context.name}`)
  const it = fn.apply(this, arguments)
  console.log(`after ${context.name}`)
  return it
}

class Foo {
  @​log static foo() {
    console.log('in foo')
  }
}

// Logs "before foo", "in foo", "after foo"
Foo.foo()

    Note that this feature is different than the existing "TypeScript experimental decorators" feature that esbuild already implements. It uses similar syntax but behaves very differently, and the two are not compatible (although it's sometimes possible to write decorators that work with both). TypeScript experimental decorators will still be supported by esbuild going forward as they have been around for a long time, are very widely used, and let you do certain things that are not possible with JavaScript decorators (such as decorating function parameters). By default esbuild will parse and transform JavaScript decorators, but you can tell esbuild to parse and transform TypeScript experimental decorators instead by setting "experimentalDecorators": true in your tsconfig.json file.

    Probably at least half of the work for this feature went into creating a test suite that exercises many of the proposal's edge cases: https://github.com/evanw/decorator-tests. It has given me a reasonable level of confidence that esbuild's initial implementation is acceptable. However, I don't have access to a significant sample of real code that uses JavaScript decorators. If you're currently using JavaScript decorators in a real code base, please try out esbuild's implementation and let me know if anything seems off.

    ⚠️ WARNING ⚠️

    This proposal has been in the works for a very long time (work began around 10 years ago in 2014) and it is finally getting close to becoming part of the JavaScript language. However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorators may need to be updated as the feature continues to evolve. The decorators proposal is pretty close to its final form but it can and likely will undergo some small behavioral adjustments before it ends up becoming a part of the standard. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Optimize the generated code for private methods

    Previously when lowering private methods for old browsers, esbuild would generate one WeakSet for each private method. This mirrors similar logic for generating one WeakSet for each private field. Using a separate WeakMap for private fields is necessary as their assignment can be observable:

    let it
class Bar {
  constructor() {
    it = this
  }
}
class Foo extends Bar {
  #x = 1
  #y = null.foo
  static check() {
    console.log(#x in it, #y in it)
  }
}
try { new Foo } catch {}
Foo.check()

    This prints true false because this partially-initialized instance has #x but not #y. In other words, it's not true that all class instances will always have all of their private fields. However, the assignment of private methods to a class instance is not observable. In other words, it's true that all class instances will always have all of their private methods. This means esbuild can lower private methods into code where all methods share a single WeakSet, which is smaller, faster, and uses less memory. Other JavaScript processing tools such as the TypeScript compiler already make this optimization. Here's what this change looks like:

    // Original code
class Foo {
  #x() { return this.#x() }
  #y() { return this.#y() }
  #z() { return this.#z() }
}

// Old output (--supported:class-private-method=false)
var _x, x_fn, _y, y_fn, _z, z_fn;
class Foo {
  constructor() {
    __privateAdd(this, _x);
    __privateAdd(this, _y);
    __privateAdd(this, _z);
  }
}
_x = new WeakSet();
x_fn = function() {
  return __privateMethod(this, _x, x_fn).call(this);
};
_y = new WeakSet();
y_fn = function() {
  return __privateMethod(this, _y, y_fn).call(this);
};
_z = new WeakSet();
z_fn = function() {
  return __privateMethod(this, _z, z_fn).call(this);
};

// New output (--supported:class-private-method=false)
var _Foo_instances, x_fn, y_fn, z_fn;
class Foo {
  constructor() {
    __privateAdd(this, _Foo_instances);
  }
}
_Foo_instances = new WeakSet();
x_fn = function() {
  return __privateMethod(this, _Foo_instances, x_fn).call(this);
};
y_fn = function() {
  return __privateMethod(this, _Foo_instances, y_fn).call(this);
};
z_fn = function() {
  return __privateMethod(this, _Foo_instances, z_fn).call(this);
};

  • Fix an obscure bug with lowering class members with computed property keys

    When class members that use newer syntax features are transformed for older target environments, they sometimes need to be relocated. However, care must be taken to not reorder any side effects caused by computed property keys. For example, the following code must evaluate a() then b() then c():

    class Foo {
  [a()]() {}
  [b()];
  static { c() }
}

    Previously esbuild did this by shifting the computed property key forward to the next spot in the evaluation order. Classes evaluate all computed keys first and then all static class elements, so if the last computed key needs to be shifted, esbuild previously inserted a static block at start of the class body, ensuring it came before all other static class elements:

    var _a;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  static {
    _a = b();
  }
  [a()]() {
  }
  static {
    c();
  }
}

    However, this could cause esbuild to accidentally generate a syntax error if the computed property key contains code that isn't allowed in a static block, such as an await expression. With this release, esbuild fixes this problem by shifting the computed property key backward to the previous spot in the evaluation order instead, which may push it into the extends clause or even before the class itself:

    // Original code
class Foo {
  [a()]() {}
  [await b()];
  static { c() }
}

// Old output (with --supported:class-field=false)
var _a;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  static {
    _a = await b();
  }
  [a()]() {
  }
  static {
    c();
  }
}

// New output (with --supported:class-field=false)
var _a, _b;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  [(_b = a(), _a = await b(), _b)]() {
  }
  static {
    c();
  }
}

  • Fix some --keep-names edge cases

    The NamedEvaluation syntax-directed operation in the JavaScript specification gives certain anonymous expressions a name property depending on where they are in the syntax tree. For example, the following initializers convey a name value:

    var foo = function() {}
var bar = class {}
console.log(foo.name, bar.name)

    When you enable esbuild's --keep-names setting, esbuild generates additional code to represent this NamedEvaluation operation so that the value of the name property persists even when the identifiers are renamed (e.g. due to minification).

    However, I recently learned that esbuild's implementation of NamedEvaluation is missing a few cases. Specifically esbuild was missing property definitions, class initializers, logical-assignment operators. These cases should now all be handled:

    var obj = { foo: function() {} }
class Foo0 { foo = function() {} }
class Foo1 { static foo = function() {} }
class Foo2 { accessor foo = function() {} }
class Foo3 { static accessor foo = function() {} }
foo ||= function() {}
foo &&= function() {}
foo ??= function() {}
eslint/eslint (eslint)

v9.4.0

Compare Source

v9.3.0

Compare Source

v9.2.0

Compare Source

v9.1.1

Compare Source

v9.1.0

Compare Source

sxzz/magic-string-ast (magic-string-ast)

v0.6.1

Compare Source

No significant changes

    View changes on GitHub

v0.6.0

Compare Source

   🚀 Features
    View changes on GitHub
pnpm/pnpm (pnpm)

v9.3.0

Compare Source

Minor Changes

  • Semi-breaking. Dependency key names in the lockfile are shortened if they are longer than 1000 characters. We don't expect this change to affect many users. Affected users most probably can't run install successfully at the moment. This change is required to fix some edge cases in which installation fails with an out-of-memory error or "Invalid string length (RangeError: Invalid string length)" error. The max allowed length of the dependency key can be controlled with the peers-suffix-max-length setting #​8177.

Patch Changes

  • Set reporter-hide-prefix to true by default for pnpm exec. In order to show prefix, the user now has to explicitly set reporter-hide-prefix=false #​8174.

Platinum Sponsors

Gold Sponsors

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@stackblitz StackBlitz
Copy link

stackblitz bot commented Apr 22, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 9 times, most recently from 0d80e46 to 918e221 Compare April 29, 2024 11:36
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 15 times, most recently from 4fa4168 to ed66eca Compare May 6, 2024 17:39
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 4 times, most recently from 2650d26 to 9cdb43f Compare May 8, 2024 12:37
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from f50052c to 398ceaf Compare May 31, 2024 21:01
@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 3e8a632 to 5036697 Compare June 5, 2024 16:05
@socket-security Socket Security
Copy link

socket-security bot commented Jun 5, 2024
edited

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/esbuild@0.21.5
Install scripts npm/esbuild@0.19.12

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/esbuild@0.21.5
  • @SocketSecurity ignore npm/esbuild@0.19.12

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 7 times, most recently from 0c6be1f to ea04606 Compare June 9, 2024 00:21
@socket-security Socket Security
Copy link

socket-security bot commented Jun 9, 2024
edited

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@types/node@20.14.2 None 0 2.09 MB types
npm/ast-kit@0.12.2 None +2 2.01 MB sxzz
npm/bumpp@9.4.1 environment, filesystem, unsafe Transitive: network, shell +69 6.93 MB antfu
npm/esbuild@0.21.5 environment, filesystem, network, shell +6 59.4 MB evanw
npm/eslint@9.4.0 environment Transitive: eval, filesystem, shell, unsafe +75 8.32 MB eslintbot
npm/magic-string-ast@0.6.1 None +1 465 kB sxzz
npm/prettier@3.3.2 None 0 0 B
npm/rollup@4.18.0 environment, filesystem +1 2.45 MB lukastaegert
npm/tsx@4.15.2 None 0 0 B

🚮 Removed packages: npm/ast-kit@0.12.1, npm/bumpp@9.4.0, npm/esbuild@0.19.12, npm/eslint@9.0.0, npm/magic-string-ast@0.5.0, npm/prettier@3.2.5, npm/rollup@4.14.3, npm/tsx@4.7.2

View full report↗︎

@renovate renovate bot force-pushed the renovate/all-minor-patch branch 5 times, most recently from fa629e5 to b0cd810 Compare June 11, 2024 00:31
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from b0cd810 to 2b7eb64 Compare June 11, 2024 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants