🤖 Dep Updates: bump esbuild from 0.25.11 to 0.27.0 #41
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Release highlights: - DLX binary permission management with chmod 0o755 - npm-compatible bin resolution via vendored getBinFromManifest - Enhanced findBinaryPath() with npm's resolution strategy - Optimized package size: ~1.3 MB savings through vendoring and minimal exports
Dependabot PRs will now use '🤖 Dep Updates' prefix for commit messages and PR titles.
Add organized stub infrastructure to reduce external bundle sizes: - Create scripts/build-externals/stubs/ directory - Add utility stubs (empty.cjs, noop.cjs, throw.cjs) - Add active stubs (encoding.cjs, debug.cjs) - Integrate stubs into esbuild config via createStubPlugin() - Document stub system with philosophy and usage Conservative approach: Only stub provably unused dependencies. Active stubs save ~18KB: - encoding/iconv-lite: ~9KB (UTF-8 only) - debug: ~9KB (already compiled out)
Remove barrel file pattern from build-externals system: - Rename scripts/build-externals/index.mjs → orchestrator.mjs - Update import in scripts/build-externals.mjs - Use descriptive name that matches purpose (orchestrates bundling) Clean directory structure with no barrel files: scripts/build-externals/ ├── orchestrator.mjs # Main build orchestration ├── bundler.mjs # Package bundling logic ├── config.mjs # Package configuration ├── copy-files.mjs # File copying utilities ├── esbuild-config.mjs # esbuild configuration with stubs ├── local-packages.mjs # Local package resolution └── stubs/ # Stub modules directory
External packages should be bundled by esbuild from node_modules, not copied from src/external. The src/external/*.js files are only stub files for TypeScript path resolution during development. Changes: - Remove copyAllFiles() and its call from orchestrator - Update copyLocalFiles() to skip .js files (only copy .d.ts if needed) - Bundler now properly creates complete standalone bundles Fixes issue where dist/external/libnpmpack.js was a 39-byte stub instead of a 1MB esbuild bundle.
Disable sourcemap generation for production builds to reduce output size and simplify dist directory. Development watch mode still uses inline sourcemaps for debugging. Changes: - Set sourcemap: false in buildConfig (was: true) - watchConfig still uses sourcemap: 'inline' for dev mode
All external packages should be bundled from npm, not manually vendored. This ensures libnpmexec appears in dist/external/ like other packages. Changes: - Set libnpmexec bundle: true in config - Removed manual vendoring logic - All packages now consistently bundled from node_modules Note: libnpmexec and libnpmpack are both ~1MB because they bundle their npm dependencies (@npmcli/arborist, pacote, etc) for zero-dep standalone bundles.
Replace inline vendored implementation with require() to enable proper tree-shaking during bundling. The bundler will now include only the needed function and its dependencies rather than maintaining duplicated code.
Change bundler to use src/external/*.js files as entry points instead of bundling directly from node_modules. This enables tree-shaking and allows explicit control over what gets bundled. Also preserves scoped package names like @socketregistry/yocto-spinner. Bundle sizes are now controlled by what's exported in src/external files.
Replace inline pluralization logic with the shared pluralize utility from #socketsecurity/lib/words for consistency.
Prefix with underscore to indicate intentionally unused variable. The bundler now resolves entry points directly from src/external without needing this variable.
CommonJS modules don't require explicit 'use strict' as it's implied in module scope. The bundler handles strict mode appropriately.
Add the missing time() method to start timers, complementing the existing timeEnd() and timeLog() methods. This allows users to start timers using the Logger instance instead of console.time(). - Add time() method with proper TypeScript signature - Return 'this' for method chaining consistency - Update timeEnd() documentation to reference logger.time() - Fix tests to properly start timers before ending them
Fix the bundling system to create standalone bundles for @npmcli/package-json and its subpath imports (lib/read-package, lib/sort), resolving module not found errors in the editable package.json workflow. Build changes: - Add subpaths field to scoped package config for bundling subpath exports - Enhance orchestrator to bundle subpaths as standalone files - Remove directory copying (replaced with proper bundles) Source changes: - Create entry point for @npmcli/package-json main export - Add entry points for lib/read-package and lib/sort subpaths This produces 33 bundled packages (up from 31): - dist/external/@npmcli/package-json.js (236KB) - dist/external/@npmcli/package-json/lib/read-package.js (2.4KB) - dist/external/@npmcli/package-json/lib/sort.js (2.2KB) All bundles are zero-dependency standalone modules created by esbuild. Fixes: test/packages/operations.test.ts editable package.json tests
Add trailing space to star symbols (✦, ✧, ⋆) to ensure consistent spacing when rendered in the terminal. This matches the spacing used by other symbols like lightning (⚡). test(debug): fix timer test setup Fix debug timer tests to properly start timers before assertions, ensuring tests accurately verify timer behavior.
- Add 'use strict' banner to esbuild config for dist/*.js files - Add 'use strict' banner to external bundler config - Add 'use strict' to all src/external/*.js wrapper files - Ensures strict mode enforcement across all CommonJS modules
Add createForceNodeModulesPlugin() to force npm package resolution from node_modules, preventing tsconfig.json path mappings from creating circular dependencies during external dependency bundling. This resolves issues with packages like cacache, make-fetch-happen, fast-sort, and pacote that have tsconfig path mappings. Source files retain 'use strict' directives for correctness while the esbuild banner ensures all bundled output includes the directive.
Replace outdated product-based theme names (coana, socket-firewall, socket-cli-python) with actual theme names (sunset, terracotta, lush). Update all module counts to reflect current codebase: - Total modules: 183 → 143 - Environment: 22 modules with 68 getters - Packages: 11 utilities (added dlx) - Themes: 5 theme definitions - External: 16 vendored deps - Constants: 14 modules
Add 41 tests covering core Logger functionality: - LOG_SYMBOLS access and properties - Basic logging methods (log, error, warn, info, debug) - Stream-bound loggers (stderr, stdout) - Indentation support (indent, dedent) - Special methods (success, fail, step) - Table, time, and count methods - Group methods - Method chaining - Edge cases (null, undefined, multiple args) Coverage: 0% → 74.71% for logger.js
Add comprehensive test coverage for security-critical modules: packages/licenses.test.ts (36 tests): - SPDX license expression parsing - Copyleft license detection (collectIncompatibleLicenses) - License warning collection - AST node creation (license, binary operation) - Type guards (isPackageEntry, isBinaryEntry) - Complex expressions (AND, OR, WITH exceptions) - Edge cases and error handling validation/json-parser.test.ts (22 tests): - Safe JSON parsing with security controls - Prototype pollution protection (__proto__, constructor, prototype) - Size limit enforcement - tryJsonParse error handling - Edge cases (nested objects, unicode, special characters) Coverage improvements: - packages/licenses.js: 0% → 65.04% - validation/json-parser.js: 0% → 50.00%
Add test suites for previously untested modules: performance.test.ts (7 tests): - performance.now() measurements - Monotonically increasing timestamps - High-resolution timing - Rapid successive calls - Multiple timing measurements dlx-manifest.test.ts (10 tests): - Type guards (isPackageEntry, isBinaryEntry) - ManifestEntry types (package, binary) - PackageDetails with update_check - BinaryDetails with checksums (sha256, sha512) - Type narrowing with type guards These tests provide baseline coverage for core utility modules used throughout the Socket.dev toolchain.
Add extensive test coverage for CLI utilities and infrastructure: stdio/mask.test.ts (21 tests): - OutputMask creation with various options - Output visibility toggling (showOutput flag) - Buffer management and stream capture - Filter and exit code override functions - cwd and env options handling stdio/prompts.test.ts (18 tests): - createInquirerTheme for theme integration - Choice type validation (value, name, description, disabled) - Context type with signals and streams - Edge cases for theme handling argv/flags.test.ts (57 tests): - Complete flag checking API (isDebug, isVerbose, isQuiet, etc.) - getLogLevel with priority handling - FlagValues and FlagInput types - Array and object input formats - Edge cases and mixed flag types themes/utils.test.ts (9 tests): - resolveColor for semantic keywords (primary, secondary, inherit) - RGB tuple passthrough and resolution - Color fallback handling - Mixed color value types These tests cover previously untested utility modules used throughout the Socket.dev CLI toolchain, improving maintainability and reducing regression risk. Total: 105 new tests added (4706 → 4811 tests) Test files: 105 → 109
Add comprehensive test suites for advanced logger features, argument parsing, and theme context management to increase test coverage and ensure reliability of core functionality. New test files: - test/logger-advanced.test.ts (46 tests): Task management, assertions, logCallCount tracking, dir/dirxml/trace methods, complex indentation, edge cases, and method chaining scenarios - test/argv/parse.test.ts (32 tests): Complete parseArgs implementation covering boolean/string options, short aliases, positionals, defaults, kebab-case conversion, multiple values, coerce functions, and edge cases - test/themes/context.test.ts (22 tests): Theme context management with getTheme/setTheme, async/sync scoped themes (withTheme/withThemeSync), theme change listeners, and nested theme contexts Test execution: 100 tests added, all passing Coverage metrics maintained while expanding test breadth across critical modules that previously had minimal test coverage
…iptions Add detailed @fileoverview headers to all 12 new test files with: - Clear descriptions of what each test suite covers - Key functions and features being tested - Important implementation details and edge cases - Context about how the functionality is used in Socket tools Improved test files: - test/logger-core.test.ts: Core logging methods, symbols, streams - test/logger-advanced.test.ts: Tasks, assertions, dir/trace methods - test/packages/licenses.test.ts: SPDX parsing, copyleft detection - test/validation/json-parser.test.ts: Security controls, prototype pollution - test/performance.test.ts: High-resolution timing measurements - test/dlx-manifest.test.ts: Type guards for dlx manifest entries - test/stdio/mask.test.ts: CLI output visibility control (NOT password masking) - test/stdio/prompts.test.ts: Inquirer.js theme integration - test/argv/flags.test.ts: Boolean flag checking, log level priority - test/argv/parse.test.ts: Node.js-compatible argument parsing - test/themes/utils.test.ts: Semantic color keyword resolution - test/themes/context.test.ts: AsyncLocalStorage-based theme scoping These enhanced headers improve code navigation, onboarding, and understanding of test coverage for Socket's core infrastructure library.
…files) Add comprehensive @fileoverview documentation to core utility test files: Core utilities (5 files): - test/arrays.test.ts: Array manipulation, formatting with Intl.ListFormat - test/strings.test.ts: String processing, Unicode handling, stringWidth calculations - test/json.test.ts: JSON parsing with Buffer support, BOM stripping, error handling - test/globs.test.ts: Glob pattern matching with picomatch/fast-glob, defaultIgnore - test/objects.test.ts: Lazy getters, object manipulation, memoization patterns Filesystem/path utilities (4 files): - test/fs.test.ts: Comprehensive file operations (read/write/search) with async/sync - test/fs-additional.test.ts: Extended edge cases and error condition coverage - test/path.test.ts: Cross-platform path manipulation and validation - test/paths.test.ts: Socket-specific directory paths for caching and storage All headers now include: - Detailed function descriptions with key features - Implementation notes (caching, platform handling, error behavior) - Edge cases and test coverage scope - Context about usage in Socket tools No invalid or bogus tests found in this batch.
Add comprehensive @fileoverview documentation to environment variable test files: Root env test: - test/env.test.ts: Core env utilities (type conversion, proxy, case-insensitive lookup) Environment variable getters (21 files): - CI/debug detection: ci, debug, github, pre-commit, test - System paths: home, path, temp-dir, shell - Localization: locale, term - Node/npm: node-env, node-auth-token, npm - Windows-specific: windows (APPDATA, USERPROFILE, COMSPEC, LOCALAPPDATA) - Socket-specific: socket (SOCKET_* vars), socket-cli, socket-cli-shadow - XDG directories: xdg (cache/config/data homes per freedesktop.org spec) - Type conversion: helpers (envAsBoolean, envAsNumber, envAsString) - Test infrastructure: rewire (setEnv/clearEnv/resetEnv for isolated testing) All headers now include: - Specific environment variables accessed - Return types and value formats - Platform notes (Windows, Unix/Linux, XDG spec) - Use of rewire for test isolation - Critical use cases in Socket tools No invalid or bogus tests found. All env getters follow consistent patterns: pure functions reading process.env with optional type coercion.
Add comprehensive @fileoverview documentation to all constants test files: Constants categories: - agents.test.ts: Package manager detection, user agent strings - core.test.ts: Fundamental constants, symbols, sentinel values - encoding.test.ts: Character encoding, BOM, buffer constants - github.test.ts: GitHub API URLs, cache config, default refs - licenses.test.ts: SPDX identifiers, copyleft/permissive license sets - node.test.ts: Node.js version detection, feature flags, maintained versions - packages.test.ts: npm registry URLs, package.json fields, PM identifiers - paths.test.ts: Common paths, glob patterns, file extensions - platform.test.ts: OS detection (IS_WINDOWS/MAC/LINUX), EOL, architecture - process.test.ts: Exit codes, signal names, AbortController utilities - socket.test.ts: Socket API URLs, app names, config paths - testing.test.ts: Test framework detection, CI indicators, timeouts - time.test.ts: Time conversion constants (MS_PER_*), date formats - typescript.test.ts: TS compiler detection, target/module constants All headers now include: - Specific constant categories and examples - Value types and formats - Frozen/immutable nature - Use cases in Socket tools No invalid or bogus tests found. All constants are properly frozen and tested for correct values and types.
Ensure all static imports precede variable declarations to maintain consistent module organization and prevent potential initialization issues. Files updated: - src/debug.ts: Move logger declaration after imports - src/fs.ts: Move abortSignal declaration after imports - src/packages/manifest.ts: Move const declarations after imports - src/packages/operations.ts: Move const declarations after imports - src/spawn.ts: Move const declarations after imports - src/stdio/prompts.ts: Reorder imports before const declarations
Remove getSpinner() from constants/process to resolve circular dependency between constants/process and spinner modules. All spinner instances now use getDefaultSpinner() directly, which provides lazy loading without circular import issues. Changes: - Remove getSpinner() and related imports from constants/process.ts - Update debug.ts to use getDefaultSpinner() instead of getSpinner() - Update spawn.ts to use getDefaultSpinner() instead of getSpinner() - Update stdio/prompts.ts to use getDefaultSpinner() instead of getSpinner() - Remove obsolete getSpinner tests from process.test.ts
- Rename ChildProcessType to ChildProcess for clarity - Make ChildProcess interface extend EventEmitter - Update type references throughout spawn module This ensures accurate type representation of spawned child processes and aligns naming with Node.js conventions.
## What's Changed ### Refactoring & Type Improvements - **ChildProcess interface now inherits from EventEmitter** (renamed from `ChildProcessType`) - **Removed circular dependency between constants/process and spinner modules** - Improved module organization: moved const declarations below static imports
Aligns check.mjs with standard pattern across socket-* repos: - check.mjs now delegates to `pnpm run lint` with appropriate flags - Removes running biome directly - Adds --all and --staged flag support - Lint command is single source of truth for linting behavior
Add async and sync file pattern matching functions as wrappers around fast-glob. These complement the existing globStreamLicenses and getGlobMatcher utilities. - Add glob() for async file pattern matching - Add globSync() for sync file pattern matching - Export glob, globStream, and globSync from fast-glob external module
Add c8 ignore comments for external library calls that don't need coverage tracking, and expand test suites to increase overall code coverage from 69.02% to 69.48%. Changes: - Add c8 ignore comments for external library calls across multiple files: - arrays.ts: Intl.ListFormat initialization - bin.ts: which module calls - cacache.ts: cacache API calls - debug.ts: debug library initialization - dlx-package.ts: npm-package-arg, pacote, Arborist, libnpmexec calls - fs.ts: del library calls - globs.ts: fast-glob and picomatch calls - logger.ts: Console construction internals - package-extensions.ts: @yarnpkg/extensions data - sorts.ts: fast-sort and semver calls - spawn.ts: npmCliPromiseSpawn call - spinner.ts: yoctoSpinner initialization - streams.ts: streaming-iterables calls - strings.ts: eastAsianWidth call - versions.ts: semver function calls - Expand test coverage: - ansi.test.ts: Add tests for ansiRegex options - arrays.test.ts: Add edge case tests for array utilities - debug.test.ts: Add comprehensive tests for debugtime function - strings.test.ts: Add tests for fromCharCode, search, and repeatString Coverage improved from 69.02% to 69.48% (Type: 98.56%, Cumulative: 84.02%).
…erloads - Add function overloads to correctly type return values based on encoding - When encoding is null, return Buffer | undefined - When encoding is specified or default, return string | undefined - Default to 'utf8' encoding for better ergonomics - Add support for defaultValue handling based on return type - Improve JSDoc with clearer examples for string vs buffer usage This resolves TypeScript errors where safeReadFile with encoding: 'utf8' was incorrectly typed as returning Buffer instead of string.
Add normalizeEncoding function based on Node.js internal/util.js implementation to handle encoding name variations and normalization. - Add slowCases() helper to handle less common encoding variants - Add normalizeEncoding() for optimized common case handling - Integrate normalizeEncoding into safeReadFile and safeReadFileSync - Handles uppercase, hyphenated, and variant encoding names - Optimized for performance with fast path for utf8/utf-8/null This ensures consistent encoding behavior matching Node.js core, handling variants like UTF-8, utf-8, UTF8, LATIN1, latin1, etc. Based on: https://github.com/nodejs/node/blob/ae62b36d442b7bf987e85ae6e0df0f02cc1bb17f/lib/internal/util.js#L247-L310
Establish mandatory alphabetical ordering pattern for all source files with 3+ exported functions to improve maintainability and reduce merge conflicts. Changes: - Reorganize fs.ts: private functions alphabetical, then exports alphabetical (getAllowedDirectories, invalidatePathCache, validateFiles moved) - Reorganize objects.ts: swap createConstantsObject/createLazyGetter, move merge before objectEntries - Reorganize sorts.ts: move compareSemver, compareStr to beginning - Reorganize promises.ts: move resolveRetryOptions to end - Reorganize strings.ts: move centerText, repeatString to alphabetical positions - Document pattern in CLAUDE.md: Function Organization section Benefits: - Predictable function location for navigation - Reduced merge conflicts when adding functions - Easier code review and spotting duplicates - Consistent structure across entire codebase Files reorganized: 5 (fs, objects, sorts, promises, strings) Files verified sorted: 8+ (arrays, versions, spawn, git, bin, etc) Total functions organized: 77+ Breaking changes: 0 Tests: All pass (5522 tests)
Track whether warning type was already suppressed before modification. Only remove from suppressedWarnings set if this function added it. Ensures proper cleanup and restoration of original process.emitWarning state.
Add comprehensive test coverage for utility modules: - env/package-manager.ts (24 tests) - package manager detection - package-extensions.ts (18 tests) - package extension handling - paths/dirnames.ts (25 tests) - directory name constants - paths/exts.ts (36 tests) - file extension constants - paths/filenames.test.ts (25 tests) - filename constants - paths/globs.ts (27 tests) - glob pattern constants - paths/packages.ts (18 tests) - package.json path resolution - paths/socket.ts (39 tests) - Socket ecosystem paths - stdio/divider.ts (13 tests) - divider formatting - stdio/header.ts (41 tests) - header formatting - suppress-warnings.ts (22 tests) - warning suppression utilities Coverage increased from 83.67% to 83.78% (+0.11%) Code coverage: 68.78% → 68.99% (+0.21%) Update README coverage badge to 83.78%.
Release version 4.4.0 with fs encoding improvements and suppress-warnings fix.
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.25.11 to 0.27.0. - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.25.11...v0.27.0) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.27.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bumps esbuild from 0.25.11 to 0.27.0.
Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
2b91699publish 0.27.0 to npm22b425cfix #4286: useUint8Array.fromBase64if present (#4295)6d187efupdate go 1.25.3 => 1.25.49d0d4e7update go 1.23.12 => 1.25.3 (#4318)b6979d8use a patched go compiler for release builds893d2b9delete temporaryrelease.ymlworkflowcee3918add a temporaryrelease.ymlworkflowf5bb1d6fixpublish.yml17ff82bpublish 0.26.0 to npmf87181fenable trusted publishing (#4319)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)