Skip to content

Comments

chore(deps): update dependency esbuild to v0.27.3#8250

Merged
shulaoda merged 1 commit intomainfrom
renovate/npm-packages
Feb 9, 2026
Merged

chore(deps): update dependency esbuild to v0.27.3#8250
shulaoda merged 1 commit intomainfrom
renovate/npm-packages

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 9, 2026

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
esbuild 0.27.20.27.3 age adoption passing confidence

Release Notes

evanw/esbuild (esbuild)

v0.27.3

Compare Source

  • Preserve URL fragments in data URLs (#​4370)

    Consider the following HTML, CSS, and SVG:

    • index.html:

      <!DOCTYPE html>
      <html>
        <head><link rel="stylesheet" href="icons.css"></head>
        <body><div class="triangle"></div></body>
      </html>
    • icons.css:

      .triangle {
        width: 10px;
        height: 10px;
        background: currentColor;
        clip-path: url(./triangle.svg#x);
      }
    • triangle.svg:

      <svg xmlns="http://www.w3.org/2000/svg">
        <defs>
          <clipPath id="x">
            <path d="M0 0H10V10Z"/>
          </clipPath>
        </defs>
      </svg>

    The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

    /* icons.css */
    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
    }
  • Parse and print CSS @scope rules (#​4322)

    This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

    Here's an example:

    /* Original code */
    @&#8203;scope (:global(.foo)) to (:local(.bar)) {
      .bar {
        color: red;
      }
    }
    
    /* Old output (with --loader=local-css --minify) */
    @&#8203;scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
    
    /* New output (with --loader=local-css --minify) */
    @&#8203;scope(.foo)to (.o){.o{color:red}}
  • Fix a minification bug with lowering of for await (#​4378, #​4385)

    This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

  • Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

    This PR was contributed by @​MikeWillCook.


Configuration

📅 Schedule: Branch creation - "before 10am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) February 9, 2026 01:11
@netlify
Copy link

netlify bot commented Feb 9, 2026

Deploy Preview for rolldown-rs canceled.

Name Link
🔨 Latest commit 2197f1f
🔍 Latest deploy log https://app.netlify.com/projects/rolldown-rs/deploys/698934519431310008dc397f

@socket-security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedesbuild@​0.27.2 ⏵ 0.27.3911007392100
Addedutil-deprecate@​1.0.21001008375100
Addedsource-map-support@​0.5.2110010010083100
Addedsource-map@​0.7.610010010087100
Addedzx@​8.8.5931009090100
Addedtypescript@​5.9.31001009010090

View full report

@socket-security
Copy link

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm safer-buffer is 94.0% likely obfuscated

Confidence: 0.94

Location: Package overview

From: pnpm-lock.yamlnpm/@napi-rs/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@shulaoda shulaoda disabled auto-merge February 9, 2026 03:43
@shulaoda shulaoda merged commit b3d907f into main Feb 9, 2026
56 of 57 checks passed
@shulaoda shulaoda deleted the renovate/npm-packages branch February 9, 2026 03:43
This was referenced Feb 11, 2026
shulaoda added a commit that referenced this pull request Feb 11, 2026
## [1.0.0-rc.4] - 2026-02-11

💡 Granular `comments` Option
- New `output.comments` option provides fine-grained control over comment preservation
- The `output.legalComments` option is now deprecated and use `comments.legal` instead

### 🚀 Features

- rename error name to `RolldownError` from `RollupError` (#8262) by @sapphi-red
- add hidden `resolve_tsconfig` function for Vite (#8257) by @sapphi-red
- rust: introduce `rolldown_watcher` (#8161) by @hyf0
- unify `comments` and `legalComments` into a single granular `comments` option (#8229) by @IWANABETHATGUY
- add builtin plugin for visualizing chunk graph (#8162) by @IWANABETHATGUY
- show import declaration location in AssignToImport errors (#8222) by @Copilot
- show import declaration span in CannotCallNamespace error (#8223) by @Copilot
- emit error when plugin accidentally removes runtime module symbols (#8203) by @IWANABETHATGUY
- support tsconfig loading & inputMap for `transform` (#8180) by @sapphi-red
- rolldown_plugin_vite_reporter: update warning message to link to Rolldown docs (#8205) by @sapphi-red

### 🐛 Bug Fixes

- avoid panic on untranspiled JSX syntax by reporting a diagnostic error (#8226) by @IWANABETHATGUY
- rolldown_plugin_vite_import_glob: relax absolute path check and improve invalid glob warning (#8219) by @shulaoda
- merge chunks after detect circular reference (#8154) by @IWANABETHATGUY
- rust: detect runtime module side effects based on its content (#8209) by @hyf0

### 🚜 Refactor

- rename `other` to `jsdoc` in comments options (#8256) by @IWANABETHATGUY
- rename chunk-visualize plugin with bundle-analyzer plugin (#8255) by @IWANABETHATGUY
- remove EXPORT_UNDEFINED_VARIABLE error (#8228) by @Copilot
- consolidate missing runtime symbol errors into a single diagnostic (#8220) by @IWANABETHATGUY
- stabilize `parse` and `parseSync` (#8215) by @sapphi-red
- return errors instead of panicking on builtin plugin conversion failure (#8217) by @shulaoda
- expose `parse` / `minify` / `transform` from `rolldown/utils` (#8214) by @sapphi-red
- prepare defer chunk merging (#8153) by @IWANABETHATGUY

### 📚 Documentation

- remove `<script>` escape behavior difference note from `platform` option (#8253) by @sapphi-red
- TypeScript & JSX support by plugins (#8183) by @sapphi-red

### 🧪 Testing

- ensure runtime module is preserved even if it's not used but has side effects (#8213) by @hyf0

### ⚙️ Miscellaneous Tasks

- deps: update oxc to v0.113.0 (#8267) by @renovate[bot]
- deps: update dependency oxlint-tsgolint to v0.12.0 (#8272) by @renovate[bot]
- deps: update oxc apps (#8269) by @renovate[bot]
- deps: update test262 submodule for tests (#8261) by @sapphi-red
- deps: update crate-ci/typos action to v1.43.4 (#8260) by @renovate[bot]
- deps: update dependency esbuild to v0.27.3 (#8250) by @renovate[bot]
- deps: update rust crates (#8244) by @renovate[bot]
- deps: update dependency semver to v7.7.4 (#8247) by @renovate[bot]
- deps: update github-actions (#8243) by @renovate[bot]
- deps: update npm packages (#8245) by @renovate[bot]
- deps: update oxc resolver to v11.17.1 (#8240) by @renovate[bot]
- deps: update rust crate oxc_sourcemap to v6.0.2 (#8241) by @renovate[bot]
- rust: handle ignored `RUSTSEC-2025-0141` cargo check error (#8235) by @hyf0
- deps: update dependency oxlint-tsgolint to v0.11.5 (#8233) by @renovate[bot]
- deps: update dependency rolldown-plugin-dts to ^0.22.0 (#8232) by @renovate[bot]
- deps: update crate-ci/typos action to v1.43.3 (#8225) by @renovate[bot]
- deps: update dependency rolldown-plugin-dts to v0.21.9 (#8224) by @renovate[bot]
- deps: update crate-ci/typos action to v1.43.2 (#8212) by @renovate[bot]
- remove rolldown_plugin_vite_wasm_helper (#8207) by @shulaoda
- build docs for production (#8206) by @sapphi-red

Co-authored-by: shulaoda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant