v0.28.1
Breaking Changes📦 esbuildView on GitHub →
⚠ 1 breaking✨ 1 features🐛 5 fixes🔧 8 symbols
Summary
This release patches two security vulnerabilities related to path traversal in the dev server and integrity checks in the Deno API. It also includes several bug fixes addressing minification issues, module evaluation errors, and incorrect code generation for `new` expressions.
⚠️ Breaking Changes
- HTTP requests to esbuild's local development server containing \\ backslash characters are now disallowed on Windows to fix a path traversal security vulnerability. Users relying on \\ in paths must switch to /.
Migration Steps
- If using the local development server on Windows, ensure HTTP request paths use forward slashes (/) instead of backslashes (\) for path traversal.
- If overriding the package registry for the Deno API via `NPM_CONFIG_REGISTRY`, ensure the custom registry serves an esbuild executable matching the expected content hash.
✨ New Features
- Added integrity checks to esbuild's Deno install script, ensuring the downloaded binary matches expected content.
🐛 Bug Fixes
- Fixed minifier incorrectly inlining `using` and `await using` declarations, which prevented correct resource disposal.
- Fixed module evaluation state not being preserved when an error is thrown, ensuring subsequent `import()` or `require()` calls on the same module throw the same error.
- Fixed incorrect code generation for `new` expressions involving complex targets (optional chain or tagged template literal) by correctly wrapping the target in parentheses.
- Fixed renaming of nested `var` declarations hoisted to module scope during bundling, preventing potential name collisions when minification is disabled.
- Fixed TypeScript-only `import x = require('y')` constructs being incorrectly emitted as `const` instead of `var` when targeting ES5.