chore(deps): update devdependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@types/validator (source)	~13.7.6 -> ~13.7.7
cypress	~10.7.0 -> ~10.9.0
esbuild	~0.15.7 -> ~0.15.9
eslint (source)	~8.23.1 -> ~8.24.0
sanitize-html	~2.7.1 -> ~2.7.2
vite (source)	~3.1.0 -> ~3.1.4

---

Release Notes

cypress-io/cypress

v10.9.0

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#​10-9-0

v10.8.0

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#​10-8-0

evanw/esbuild

v0.15.9

Compare Source

• Fix an obscure npm package installation issue with --omit=optional (#​2558)

  The previous release introduced a regression with npm install esbuild --omit=optional where the file node_modules/.bin/esbuild would no longer be present after installation. That could cause any package scripts which used the esbuild command to no longer work. This release fixes the regression so node_modules/.bin/esbuild should now be present again after installation. This regression only affected people installing esbuild using npm with either the --omit=optional or --no-optional flag, which is a somewhat unusual situation.

  More details:

  The reason for this regression is due to some obscure npm implementation details. Since the Go compiler doesn't support trivial cross-compiling on certain Android platforms, esbuild's installer installs a WebAssembly shim on those platforms instead. In the previous release I attempted to simplify esbuild's WebAssembly shims to depend on the esbuild-wasm package instead of including another whole copy of the WebAssembly binary (to make publishing faster and to save on file system space after installation). However, both the esbuild package and the esbuild-wasm package provide a binary called esbuild and it turns out that adding esbuild-wasm as a nested dependency of the esbuild package (specifically esbuild optionally depends on @esbuild/android-arm which depends on esbuild-wasm) caused npm to be confused about what node_modules/.bin/esbuild is supposed to be.

  It's pretty strange and unexpected that disabling the installation of optional dependencies altogether would suddenly cause an optional dependency's dependency to conflict with the top-level package. What happens under the hood is that if --omit=optional is present, npm attempts to uninstall the esbuild-wasm nested dependency at the end of npm install (even though the esbuild-wasm package was never installed due to --omit=optional). This uninstallation causes node_modules/.bin/esbuild to be deleted.

  After doing a full investigation, I discovered that npm's handling of the .bin directory is deliberately very brittle. When multiple packages in the dependency tree put something in .bin with the same name, the end result is non-deterministic/random. What you get in .bin might be from one package, from the other package, or might be missing entirely. The workaround suggested by npm is to just avoid having two packages that put something in .bin with the same name. So this was fixed by making the @esbuild/android-arm and esbuild-android-64 packages each include another whole copy of the WebAssembly binary, which works because these packages don't put anything in .bin.

v0.15.8

Compare Source

• Fix JSX name collision edge case (#​2534)

  Code generated by esbuild could have a name collision in the following edge case:

  • The JSX transformation mode is set to automatic, which causes import statements to be inserted
  • An element uses a {...spread} followed by a key={...}, which uses the legacy createElement fallback imported from react
  • Another import uses a name that ends with react such as @remix-run/react
  • The output format has been set to CommonJS so that import statements are converted into require calls

  In this case, esbuild previously generated two variables with the same name import_react, like this:

  var import_react = require("react");
  var import_react2 = require("@​remix-run/react");

  That bug is fixed in this release. The code generated by esbuild no longer contains a name collision.

• Fall back to WebAssembly on Android ARM (#​1556, #​1578, #​2335, #​2526)

  Go's compiler supports trivial cross-compiling to almost all platforms without installing any additional software other than the Go compiler itself. This has made it very easy for esbuild to publish native binary executables for many platforms. However, it strangely doesn't support cross-compiling to Android ARM without installing the Android build tools.

  So instead of publishing a native esbuild binary executable to npm, this release publishes a WebAssembly fallback build. This is essentially the same as the esbuild-wasm package but it's installed automatically when you install the esbuild package on Android ARM. So packages that depend on the esbuild package should now work on Android ARM. This change has not yet been tested end-to-end because I don't have a 32-bit Android ARM device myself, but in theory it should work.

  This inherits the drawbacks of WebAssembly including significantly slower performance than native as well as potentially also more severe memory usage limitations and lack of certain features (e.g. --serve). If you want to use a native binary executable of esbuild on Android ARM, you may be able to build it yourself from source after installing the Android build tools.

• Attempt to better support Yarn's ignorePatternData feature (#​2495)

  Part of resolving paths in a project using Yarn's Plug'n'Play feature involves evaluating a regular expression in the ignorePatternData property of .pnp.data.json. However, it turns out that the particular regular expressions generated by Yarn use some syntax that works with JavaScript regular expressions but that does not work with Go regular expressions.

  In this release, esbuild will now strip some of the the problematic syntax from the regular expression before compiling it, which should hopefully allow it to be compiled by Go's regular expression engine. The specific character sequences that esbuild currently strips are as follows:

  • (?!\.)
  • (?!(?:^|\/)\.)
  • (?!\.{1,2}(?:\/|$))
  • (?!(?:^|\/)\.{1,2}(?:\/|$))

  These seem to be used by Yarn to avoid the . and .. path segments in the middle of relative paths. The removal of these character sequences seems relatively harmless in this case since esbuild shouldn't ever generate such path segments. This change should add support to esbuild for Yarn's pnpIgnorePatterns feature.

• Fix non-determinism issue with legacy block-level function declarations and strict mode (#​2537)

  When function declaration statements are nested inside a block in strict mode, they are supposed to only be available within that block's scope. But in "sloppy mode" (which is what non-strict mode is commonly called), they are supposed to be available within the whole function's scope:

  // This returns 1 due to strict mode
  function test1() {
    'use strict'
    function fn() { return 1 }
    if (true) { function fn() { return 2 } }
    return fn()
  }
  
  // This returns 2 due to sloppy mode
  function test2() {
    function fn() { return 1 }
    if (true) { function fn() { return 2 } }
    return fn()
  }

  To implement this, esbuild compiles these two functions differently to reflect their different semantics:

  function test1() {
    "use strict";
    function fn() {
      return 1;
    }
    if (true) {
      let fn2 = function() {
        return 2;
      };
    }
    return fn();
  }
  function test2() {
    function fn() {
      return 1;
    }
    if (true) {
      let fn2 = function() {
        return 2;
      };
      var fn = fn2;
    }
    return fn();
  }

  However, the compilation had a subtle bug where the automatically-generated function-level symbols for multible hoisted block-level function declarations in the same block a sloppy-mode context were generated in a random order if the output was in strict mode, which could be the case if TypeScript's alwaysStrict setting was set to true. This lead to non-determinism in the output as the minifier would randomly exchange the generated names for these symbols on different runs. This bug has been fixed by sorting the keys of the unordered map before iterating over them.

• Fix parsing of @keyframes with string identifiers (#​2555)

  Firefox supports @keyframes with string identifier names. Previously this was treated as a syntax error by esbuild as it doesn't work in any other browser. The specification allows for this however, so it's technically not a syntax error (even though it would be unwise to use this feature at the moment). There was also a bug where esbuild would remove the identifier name in this case as the syntax wasn't recognized.

  This release changes esbuild's parsing of @keyframes to now consider this case to be an unrecognized CSS rule. That means it will be passed through unmodified (so you can now use esbuild to bundle this Firefox-specific CSS) but the CSS will not be pretty-printed or minified. I don't think it makes sense for esbuild to have special code to handle this Firefox-specific syntax at this time. This decision can be revisited in the future if other browsers add support for this feature.

• Add the --jsx-side-effects API option (#​2539, #​2546)

  By default esbuild assumes that JSX expressions are side-effect free, which means they are annoated with /* @​__PURE__ */ comments and are removed during bundling when they are unused. This follows the common use of JSX for virtual DOM and applies to the vast majority of JSX libraries. However, some people have written JSX libraries that don't have this property. JSX expressions can have arbitrary side effects and can't be removed. If you are using such a library, you can now pass --jsx-side-effects to tell esbuild that JSX expressions have side effects so it won't remove them when they are unused.

  This feature was contributed by @​rtsao.

eslint/eslint

v8.24.0

Compare Source

Features

• 1729f9e feat: account for sourceType: "commonjs" in the strict rule (#​16308) (Milos Djermanovic)
• b0d72c9 feat: add rule logical-assignment-operators (#​16102) (fnx)
• f02bcd9 feat: array-callback-return support findLast and findLastIndex (#​16314) (Sosuke Suzuki)

Documentation

• 2c152ff docs: note false positive Object.getOwnPropertyNames in prefer-reflect (#​16317) (AnnAngela)
• bf7bd88 docs: fix warn severity description for new config files (#​16324) (Nitin Kumar)
• 8cc0bbe docs: use more clean link syntax (#​16309) (Percy Ma)
• 6ba269e docs: fix typo (#​16288) (jjangga0214)

Chores

• 131e646 chore: Upgrade @​humanwhocodes/config-array for perf (#​16339) (Nicholas C. Zakas)
• 504fe59 perf: switch from object spread to Object.assign when merging globals (#​16311) (Milos Djermanovic)

apostrophecms/sanitize-html

v2.7.2

Compare Source

• Closing tags must agree with opening tags. This fixes issue #​549, in which closing tags not associated with any permitted opening tag could be passed through. No known exploit exists, but it's better not to permit this. Thanks to
  Kedar Chandrayan for the report and the fix.

vitejs/vite

v3.1.4

Compare Source

Please refer to CHANGELOG.md for details.

v3.1.3

Compare Source

• fix: esbuildOutputFromId for symlinked root (#​10154) (fc5310f), closes #​10154
• fix(hmr): dedupe virtual modules in module graph (#​10144) (71f08e7), closes #​10144
• fix(lib): respect rollupOptions.input in lib mode (#​10116) (c948e7d), closes #​10116

v3.1.2

Compare Source

• fix: use isOptimizable to ensure version query (#​10141) (23a51c6), closes #​10141

v3.1.1

Compare Source

• fix: ensure version query for relative node_modules imports (#​10016) (1b822d0), closes #​10016
• fix: no quote on attrs (#​10117) (f541239), closes #​10117
• fix: prevent error overlay style being overridden (fixes #​9969) (#​9971) (a7706d0), closes #​9969 #​9971
• fix: proxy to secured websocket server (#​10045) (9de9bc4), closes #​10045
• fix: replace white with reset (#​10104) (5d56e42), closes #​10104
• fix(deps): update all non-major dependencies (#​10077) (caf00c8), closes #​10077
• fix(deps): update all non-major dependencies (#​9985) (855f2f0), closes #​9985
• fix(preview): send configured headers (#​9976) (0d20eae), closes #​9976
• chore: cleanup old changelogs (#​10056) (9e65a41), closes #​10056
• chore: update 3.1 changelog (#​9994) (44dbcbe), closes #​9994
• chore(deps): update @​rollup/plugin-node-resolve to v14 (#​10078) (3390c87), closes #​10078
• refactor: config hook helper function (#​9982) (9c1be10), closes #​9982
• refactor: optimize async and await in code (#​9854) (31f5ff3), closes #​9854

---

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.

[ST-DDT]

Does anyone know which dependency update causes this?

[Shinigami92]

Does anyone know which dependency update causes this?

I assume it's somehow esbuild (otherwise it must be Vite, but I don't think so)

[Shinigami92]

I think esbuild had a change to look into ALL tsconfig.jsons
And now it finds this:

faker/cypress/tsconfig.json

Line 3 in 0e65143

"target": "ES5",

[codecov]

Codecov Report

Merging #1381 (f23bc8a) into main (0e65143) will decrease coverage by 0.01%.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1381      +/-   ##
==========================================
- Coverage   99.63%   99.62%   -0.02%     
==========================================
  Files        2163     2163              
  Lines      241303   241303              
  Branches     1018     1017       -1     
==========================================
- Hits       240421   240396      -25     
- Misses        861      886      +25     
  Partials       21       21              

Impacted Files	Coverage Δ
src/modules/internet/user-agent.ts	81.74% <0.00%> (-6.62%)	⬇️

[ST-DDT]

It's finally green!

[Shinigami92]

It's finally green!

Vite fixed a bug coupled with esbuild.
Thx @patak-dev for the new Vite release 💚