Sourced from dompurify's releases.
DOMPurify 3.4.11
- Fixed an issue with a leaky config for hooks via
setConfig, thanks@trace37labs- Bumped vulnerable development dependencies to arrive at plain 0 with
npm audit- Updated the
osv-scannersuppression list as no vulnerable dependencies are left for now- Updated up the linting tool-chain and removed now-redundant lint directives
- Updated the documentation is several spots, README, wiki, etc.
- Bumped several dependencies where possible
DOMPurify 3.4.10
- Refactored codebase for clarity: extracted the public type declarations into
types.ts- Decomposed the three largest sanitizer functions into focused helpers
- Removed duplicated defaults and dead branches, consolidated
SAFE_FOR_TEMPLATESscrubbing into single shared path- Improved per-node performance by hoisting the mXSS probe regexes and testing
textContentbeforeinnerHTML- Added a deterministic micro-benchmark harness (
npm run bench) with a--comparemode- Reduced CI cost by running the full three-engine browser suite once per PR
- Refreshed the
demos/folder so every demo runs again, and added a SVG-via-<img>demo- Documented the bench and
test:happydomscripts in the README- Completed the Attack Classes & Bypass History wiki page
- Bumped several dependencies where possible
DOMPurify 3.4.9
- Further improved the handling of Trusted Types config options, thanks
@offset- Further improved the handling of
IN_PLACEsanitization, thanks@mozfreddyb- Added more test coverage for
IN_PLACEand Trusted Types related usage- Bumped several dependencies where possible
- Updated README and wiki with more accurate documentation & attack samples
DOMPurify 3.4.8
- Cleaned up the repository root, renamed some and removed unneeded files
- Fixed an issue with handling of Trusted Types policies, thanks
@fulstadev- Fixed the node iterator for better template scrubbing, thanks
@IamLeandrooooo- Included formerly missing LICENSE-MPL in published npm package, thanks
@asamuzaK- Bumped several dependencies where possible
DOMPurify 3.4.7
- Hardened the handling of Shadow Roots when using
IN_PLACE, thanks@GameZoneHacker- Removed a problem leading to permanent hook pollution, thanks
@offset- Refactored the test suite and expanded test coverage significantly
DOMPurify 3.4.6
- Fixed several issues with DOM Clobbering in
IN_PLACEmode, thanks@offset&@Bankde- Hardened the checks for cross-realm
IN_PLACEand Shadow DOM sanitization, thanks@offset&@Bankde- Added more test coverage for
IN_PLACEand general DOM Clobbering attacks- Bumped several dependencies where possible
DOMPurify 3.4.5
- Fixed a bypass caused by the new HTML element
selectedcontentadded in 3.4.4, thanks@KabirAcharyaNote that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.
... (truncated)
0cae518
release: 3.4.11 (#1494)6ee5716
release: 3.4.10 (#1478)5210247
release: 3.4.9 (#1459)bcdd828
release: 3.4.8 (#1439)ca30f07
release: 3.4.7 (#1414)bb7739e
release: 3.4.6 (#1394)011b0c7
release: 3.4.5 (#1382)5817ad9
release: 3.4.4 (#1374)520edb0
release: 3.4.3 (#1352)Sourced from vite's releases.
v8.0.16
Please refer to CHANGELOG.md for details.
v8.0.15
Please refer to CHANGELOG.md for details.
v8.0.14
Please refer to CHANGELOG.md for details.
v8.0.13
Please refer to CHANGELOG.md for details.
v8.0.12
Please refer to CHANGELOG.md for details.
v8.0.11
Please refer to CHANGELOG.md for details.
Sourced from vite's changelog.
8.0.16 (2026-06-01)
Bug Fixes
- deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
- reject windows alternate paths (#22572) (dc245c7)
8.0.15 (2026-06-01)
Features
Bug Fixes
- capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
- deps: update all non-major dependencies (#22511) (2686d7d)
- dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
- glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
- optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
- resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)
Miscellaneous Chores
Code Refactoring
8.0.14 (2026-05-21)
Features
Bug Fixes
- deps: update all non-major dependencies (#22471) (98b8163)
- dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
- html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
- optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)
Miscellaneous Chores
- deps: update rolldown-related dependencies (#22470) (7cb728e)
- remove irrelevant commits from changelog (2c69495)
Code Refactoring
... (truncated)
f94df87
release: v8.0.16dc245c7
fix: reject windows alternate paths (#22572)50b9512
fix(deps): reject UNC paths for launch-editor-middleware (#22571)8d1b019
release: v8.0.152686d7d
fix(deps): update all non-major dependencies (#22511)3052a67
chore(deps): update rolldown-related dependencies (#22566)e3cfb9d
fix(optimizer): close the rolldown bundle when write() rejects (#22528)6978a9c
refactor: correct logic in collectAllModules function (#22562)646dbed
feat: update rolldown to 1.0.3 (#22538)85a0eff
fix: capitalize error messages and remove spurious space in parse error
(#22488)Sourced from @opentelemetry/core's releases.
v2.8.0
2.8.0
:rocket: Features
- feat(sdk-trace-base): pretty-print
SpanImpl,Tracer, andBasicTracerProviderviautil.inspectso they render throughdiagandconsole.log#6690@mcollina- feat(sdk-metrics): implement metric reader self-observability metrics #6449
@anuraaga- feat(core): add
hrTimeToSeconds#6449@anuraaga:bug: Bug Fixes
- fix(core): limit processing of incoming "baggage" header to 8192 bytes
@pichlermarc
Sourced from @opentelemetry/core's changelog.
2.8.0
:rocket: Features
- feat(sdk-trace-base): pretty-print
SpanImpl,Tracer, andBasicTracerProviderviautil.inspectso they render throughdiagandconsole.log#6690@mcollina- feat(sdk-metrics): implement metric reader self-observability metrics #6449
@anuraaga- feat(core): add
hrTimeToSeconds#6449@anuraaga:bug: Bug Fixes
- fix(core): limit processing of incoming "baggage" header to 8192 bytes
@pichlermarc
13a035b
chore: prepare next release (#6756)4b13587
Merge commit from fork71d195c
chore(renovate): set minimumReleaseAge to 3 days (#6792)555fca6
Update renovate.json to use matchManagers (#6141)b711a81
docs(otlp-exporter-base): add typedoc entry points so public API is
indexed a...da70402
fix(ci): supply-chain sec: disable caching in release-related workflow
(#6790)002267b
chore: complete the move to the smaller SPDX license header (#6791)056ef9c
feat(sdk-metrics): implement metric reader metrics (#6449)3bd69ce
fix(configuration): improve environment variable substitution to handle
all t...bfbda7c
docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from
otlp-exporte...Sourced from esbuild's releases.
v0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
Sourced from esbuild's changelog.
0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
bb9db84
publish 0.28.1 to npm9ff053e
security: add integrity checks to the Deno API0a9bf21
enforce non-negative size in gzip parsere2a1a71
security: forbid \\ in local dev server requests83a2cbf
fix #4482:
don't inline using declarations308ad74
fix #4471:
renaming of nested var declarationsf013f5f
fix some typosaafd6e4
chore: fix some minor issues in comments (#4462)15300c3
follow up: cjs evaluation fixes1bda0c3
fix #4461,
fix #4467:
esm evaluation fixesff166e2
v1.8.44378a6e
[Fix] quote: validate object-token shapes22ebec0
[Dev Deps] update @ljharb/eslint-config,
auto-changelog, eslint, `npmig...9f3caa3
[Tests] increase coverage3344a04
[readme] replace runkit CI badge with shields.io check-runs badge699c511
[Dev Deps] update @ljharb/eslint-configSourced from undici's releases.
v7.28.0
⚠️ Security Release
This release line addresses 7 security advisories, all shipped in v7.28.0.
Action required: Upgrade to undici 7.28.0 or later.
npm install undici@^7.28.0The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.
Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through
v7.27.2. The per-origin pool fix is3805b8f8(#5041).Summary
Advisory CVE Severity (CVSS) Fixed in Fix commit GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf
High severity
WebSocket DoS via fragment count bypass — CVE-2026-12151
GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix:
8cb10f98websocket: limit the number of fragments in a message (part of backporta027a4a0Backport WebSocket maxPayloadSize fixes to v7.x, #5423)A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.
- Affected: applications using
new WebSocket(...)orWebSocketStreamagainst untrusted endpoints.- Workaround: none — upgrade is required.
TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697
GHSA-vmh5-mc38-953g · CWE-295
... (truncated)
f9eba0a
Bumped v7.28.0 (#5430)a027a4a
Backport WebSocket maxPayloadSize fixes to v7.x (#5423)8cb10f9
websocket: limit the number of fragments in a message04201f8
fix: honor requestTls when proxy is SOCKS5fcd642f
fix(socks5): preserve dispatch backpressure return value (#5166)bc98c97
fix(socks5): use configured connector in Socks5ProxyAgent (#5168)9e1c743
fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)376c8be
fix(socks5): enforce authenticated state before CONNECT (#5097)3805b8f
fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin
routing...85a2405
fix(cache): trim qualified field namesSourced from esbuild's releases.
v0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
Sourced from esbuild's changelog.
0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
bb9db84
publish 0.28.1 to npm9ff053e
security: add integrity checks to the Deno API0a9bf21
enforce non-negative size in gzip parsere2a1a71
security: forbid \\ in local dev server requests83a2cbf
fix #4482:
don't inline using declarations308ad74
fix #4471:
renaming of nested var declarationsf013f5f
fix some typosaafd6e4
chore: fix some minor issues in comments (#4462)15300c3
follow up: cjs evaluation fixes1bda0c3
fix #4461,
fix #4467:
esm evaluation fixesSourced from esbuild's releases.
v0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
Sourced from esbuild's changelog.
0.28.1
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to
@dellaliberafor reporting this issue.Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to
@sondt99for reporting this issue.Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:// Original code { using x = new Resource() x.activate() }// Old output (with --minify)
new Resource().activate();// New output (with --minify)
{using e=new Resource;e.activate()}
Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:// Original code new (foo()`bar`)() new (foo()?.bar)()// Old output
new foo()bar();
new (foo())?.bar();
... (truncated)
bb9db84
publish 0.28.1 to npm9ff053e
security: add integrity checks to the Deno API0a9bf21
enforce non-negative size in gzip parsere2a1a71
security: forbid \\ in local dev server requests83a2cbf
fix #4482:
don't inline using declarations308ad74
fix #4471:
renaming of nested var declarationsf013f5f
fix some typosaafd6e4
chore: fix some minor issues in comments (#4462)15300c3
follow up: cjs evaluation fixes1bda0c3
fix #4461,
fix #4467:
esm evaluation fixes