Change8

v0.25.0

Breaking Changes
📦 esbuild
5 breaking2 features🐛 6 fixes🔧 4 symbols

Summary

This release addresses a security vulnerability in the development server, introduces breaking changes to the serve() API and watch mode file handling, and fixes several CSS nesting and source map correctness issues.

⚠️ Breaking Changes

  • CORS is now disabled by default on the development server; requests will be denied if the 'Host' header does not match the one provided to --serve.
  • The serve() API call now returns an array of 'hosts' instead of a single 'host' string.
  • In watch mode, esbuild now deletes all output files if a rebuild fails, rather than leaving the old files in place.
  • CSS nesting expansion no longer uses :is() to collapse levels to avoid exponential blow-up, which may change the structure of generated CSS when nesting is unsupported.
  • Source map path references are now treated as URLs instead of file paths, affecting how spaces and file:// schemes are handled.

Migration Steps

  1. Pin the exact version of esbuild to '0.24.0' or use a strict range like '^0.24.0' to manage breaking changes.
  2. If using the development server, ensure clients send a matching 'Host' header or use a proxy to customize server behavior.
  3. Update code calling the serve() API to handle the 'hosts' array instead of the 'host' string.
  4. Verify watch mode workflows that might rely on old output files persisting after a failed build.

✨ New Features

  • The serve() API now provides a 'hosts' array to identify all IP addresses the development server is listening on.
  • Added support for repeating the '&' CSS nesting selector (e.g., '&&') to increase CSS specificity.

🐛 Bug Fixes

  • Fixed a security vulnerability (GHSA-67mh-4wv8-2f99) where the development server allowed cross-origin read access to source code.
  • Fixed CSS nesting transform to correctly handle leading combinators inside pseudo-classes like :has().
  • Fixed a CSS minification bug where the '&' selector was incorrectly removed inside pseudo-classes like :where().
  • Fixed source map generation to correctly encode spaces as %20 in sourceMappingURL.
  • Fixed the @esbuild/netbsd-arm64 package which previously contained the wrong binary due to a typo.
  • Fixed a minification bug involving bitwise operators and bigints.

🔧 Affected Symbols

servesourceMappingURLsources@esbuild/netbsd-arm64