Skip to content

chore(deps-dev): bump esbuild from 0.25.12 to 0.28.0#15

Open
dependabot[bot] wants to merge 15 commits into
mainfrom
dependabot/npm_and_yarn/esbuild-0.28.0
Open

chore(deps-dev): bump esbuild from 0.25.12 to 0.28.0#15
dependabot[bot] wants to merge 15 commits into
mainfrom
dependabot/npm_and_yarn/esbuild-0.28.0

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026
edited by blacksmith-sh Bot
Loading

Bumps esbuild from 0.25.12 to 0.28.0.

Release notes

Sourced from esbuild's releases.

v0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

v0.27.7

  • Fix lowering of define semantics for TypeScript parameter properties (#4421)

    The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

    // Original code
class Foo {
  constructor(public x = 1) {}
  y = 2
}
// Old output (with --loader=ts --target=es2021)
class Foo {
constructor(x = 1) {
this.x = x;
__publicField(this, "y", 2);
}
x;
}
// New output (with --loader=ts --target=es2021)
class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

  • Allow import path specifiers starting with #/ (#4361)

    Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

    This change was contributed by @​hybrist.

  • Automatically add the -webkit-mask prefix (#4357, #4358)

    This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

    /* Original code */
main {
  mask: url(x.png) center/5rem no-repeat
}
/* Old output (with --target=chrome110) */
main {
mask: url(x.png) center/5rem no-repeat;
}
/* New output (with --target=chrome110) */
main {
-webkit-mask: url(x.png) center/5rem no-repeat;
mask: url(x.png) center/5rem no-repeat;
}

    This change was contributed by @​BPJEnnova.

  • Additional minification of switch statements (#4176, #4359)

    This release contains additional minification patterns for reducing switch statements. Here is an example:

    // Original code
switch (x) {
  case 0:
    foo()
    break
  case 1:
  default:
    bar()
}

... (truncated)

Commits
  • 6a794df publish 0.28.0 to npm
  • 64ee0ea fix #4435: support with { type: text } imports
  • ef65aee fix sort order in snapshots_packagejson.txt
  • 1a26a8e try to fix test-old-ts, also shuffle CI tasks
  • 556ce6c use '' instead of null to omit build hashes
  • 8e675a8 ci: allow missing binary hashes for tests
  • 7067763 Reapply "update go 1.25.7 => 1.26.1"
  • 39473a9 fix #4343: integrity check for binary download
  • 2025c9f publish 0.27.7 to npm
  • c6b586e fix typo in Makefile for @esbuild/win32-x64
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.

OmgImAlexis and others added 15 commits May 31, 2026 19:56
@OmgImAlexis
feat(shims): zustand + expo-sqlite stubs for smoke coverage
9c9d21f
@OmgImAlexis
feat(shims): @react-navigation/* family (native/stack/drawer/tabs) re…
5a91006 
…nders initial screen

Two examples (with-react-navigation, with-drawer-navigation) BUNDLE_FAILed against @react-navigation/native. Many more apps in the ecosystem build on this — adding it now unblocks the cluster. Single shim backs every sub-package: createStackNavigator / createNativeStackNavigator / createDrawerNavigator / createBottomTabNavigator / createMaterialTopTabNavigator / createMaterialBottomTabNavigator all return the same {Navigator, Screen, Group} shape. Navigator walks its children for Screen entries, picks initialRouteName (or the first one), and renders that screens component prop. Actual transitions are no-ops — useNavigation returns a stub with navigate/goBack/reset that record nothing. Theme exports (DefaultTheme/DarkTheme/useTheme) cover the case where consumers spread theme.colors into their styles. CommonActions/StackActions/DrawerActions return bare action objects so navigation.dispatch calls still type-check. The expo-router shim (separate package) wraps this same level of fidelity with a routes-tree convention; in-tree navigators (Stack inside expo-router/Stack) keep working without change. @react-navigation/elements is the shared UI primitives package — returns an empty object since most consumers destructure it lazily and the rest just call helpers we no-op.
@OmgImAlexis
ci(smoke): force GSK_RENDERER=ngl + GTK_THEME=Adwaita; dump log on bl…
dd94a10 
…ank-capture failure

CI run on ubuntu-24.04 hit screenshot colours=2 — the smoke caught a blank Xvfb but couldnt explain why. The default GSK cairo backend can silently produce nothing under llvmpipe-only X without a compositor; ngl falls through to llvmpipe cleanly. GTK_THEME=Adwaita is also forced so widgets render with real surface colours instead of theme-default fallbacks. On the blank-capture exit path, also tail -40 the app log to stderr so the GH Actions live output explains the failure without round-tripping to the artifact bucket. Env vars use the parent shells default-if-unset shape so a caller that already exports them keeps their choice.
@OmgImAlexis
feat(shims): moti — degrades to static at-animate-values placement
f4bfed8 
Real moti is Reanimated worklets + interpolation; without worklets the shim renders Inner at the animate values immediately (skipping the from->animate transition). useDynamicAnimation/useAnimationState return refs that trigger forceUpdate when their animateTo / transitionTo fires. AnimatePresence is a passthrough. Apps mount at steady state — visually correct end frame, transition is instant.
@OmgImAlexis
feat(shims): batch — expo-updates, expo-av, sentry, socket.io, styled…
a8d5280 
…-components, maps, pdf, webrtc, svg, victory, react-router-dom + __esModule fix

Round-3 shims targeting the remaining single-error BUNDLE_FAILs. Also: every shim with a default export now stamps __esModule=true so esbuilds __toESM interop reads the default slot directly instead of re-wrapping our namespace under .default (the bug that left with-zustand BOOT_FAILing despite the bundle working). placeholder-components.js is a tiny shared library; the native-only packages render labeled View placeholders at the requested size so layout math survives. styled-components/native parses tagged-template-literal CSS into RN style via a tiny prop-value reducer (handles px / numbers / colors / functional interpolations). bundle.mjs gets a .svg loader: empty so direct SVG imports resolve to undefined instead of erroring (real svg-transformer comes later).
@OmgImAlexis
feat(shims): expo-asset + sentry integrations + createStaticNavigatio…
04bbff1 
…n + class-no-extends lowering

Round-4 fixes for the remaining single-error BUNDLE_FAILs and the BOOT_FAILs from round-3. (1) Class lowering now matches any class<id> declaration, not just class extends — esbuild emits var X = class _X { ... } for plain top-level classes and Hermes 0.12 rejects that too (AssetSourceResolver hit this). Triggers for external/expo-examples/ as well as node_modules. (2) sentry shim was missing the integration factories — apps pass Sentry.mobileReplayIntegration() / feedbackIntegration() etc. into init({integrations: [...]}). Added every integration name the SDK ships plus startSpan / getActiveSpan / setMeasurement no-ops. (3) @react-navigation/native gets createStaticNavigation (React Navigation 7s static API) returning a NavigationContainer-wrapped Navigator. (4) expo-asset shim registers a stub ExpoAsset native module via expo-modules-core and exposes Asset.fromModule / loadAsync that resolve to in-bundle uris. (5) smoke harness now detects entries that already call registerRootComponent (with-react-navigation, with-storybook patterns) and side-effect-imports them instead of trying import App from. Also catches the case where bundle.mjs succeeds but hermesc rejected the .hbc — treats the missing-hbc state as BUNDLE_FAIL instead of letting it bubble to BOOT_FAIL.
@OmgImAlexis
feat(shims): expo-auth-session, jwt-decode, apollo, firebase, picker,…
df6d133 
… tinybase, legend-state, three+expo-gl

Round-5 stubs for the remaining BUNDLE_FAIL cluster. expo-auth-session covers with-auth0 + with-facebook-auth (Providers.Google/Facebook/etc subpaths). jwt-decode is a real 30-line base64url-decode-payload impl. apollo-client supports ApolloClient/Provider + useQuery/useMutation/useLazyQuery/gql noops (data:null/loading:false). firebase exposes /app /auth /firestore /storage with reject-network-calls semantics. @react-native-picker/picker renders labeled placeholder. tinybase + ui-react + persisters expose the createStore/useCell/useRow surface with an in-memory store. @legendapp/state covers /react /persist /sync /persist-plugins/async-storage /sync-plugins/supabase subpaths. three + expo-gl + expo-three + expo-processing share one shim: THREE.* are noop constructors, GLView renders a placeholder, no real GL backend. Skipping with-magic, with-tfjs-camera, with-aws-storage-upload, with-workbox — too narrow / web-only for smoke coverage.
@OmgImAlexis
feat(shims): batch of one-example stubs + LogBox/UIManager/StatusBar/…
ae0f4fe 
…etc + colour threshold tune

Round-6 catch-up: LogBox.ignoreLogs and the other RN surfaces (Settings, ToastAndroid, Vibration, Share, findNodeHandle, UIManager, LayoutAnimation, InteractionManager, BackHandler, PermissionsAndroid, StatusBar) were missing from our react-native shim — multiple examples call them at boot and threw before mounting. All no-ops; StatusBar is a render-null function component. Smoke colour threshold lowered 16 → 4. Apps that render a single dark <GLView/> placeholder produce k=2 but are mounted correctly; 16 was too aggressive. Blank Xvfb is k=1, so 4 still catches binary-lives-but-no-window. New misc-stubs.js covers the one-example tail: magic-sdk, react-three-fiber, react-native-get-random-values, supabase-js, aws-amplify trio, tensorflow trio. All stay flat — no real network calls; promises reject or resolve empty so apps surface error UI.
@OmgImAlexis
feat(shims): uuid (with default export) + smoke threshold 4 -> 2
9b37cb3 
with-firebase-storage-upload imported uuid via import uuid from uuid, but the real packages ESM build has no default export — esbuild rejected the bundle. The shim adds a default + the named v1/v3/v4/v5/v7 exports so either import shape resolves. v4 uses our existing cryptoRandomBytes CSPRNG. Smoke colour threshold dropped to 2. Apps that render a solid-color placeholder (with-three, with-react-three-fiber, with-workbox) produce k=2 but are mounted correctly. Blank Xvfb is still k=1, so the gate catches binary-lives-but-no-window — just no longer trips on legitimately-rendered single-color frames.
@OmgImAlexis
feat(shims): legend-state observablePersistAsyncStorage (lowercase) +…
8531aa7 
… window/document/navigator/location global polyfills

with-legend-state-supabase called observablePersistAsyncStorage (lowercase factory) — newer @legendapp/state versions use that form alongside the capitalized ObservablePersistAsyncStorage constructor. Added both. with-workbox imports a local serviceWorkerRegistration that does window.addEventListener — pure web-only code. Polyfilled globalThis.window as an alias of globalThis, with safe location/navigator/document/addEventListener stubs so the bundle doesnt explode at parse time. Cross-platform feature checks (typeof window === undefined, typeof document === undefined) still take the no-DOM branch.
@OmgImAlexis
ci(smoke): detect src/app/ layout for newer expo-router examples
52e49d5 
expo-router apps with the src/app/ layout (with-graphql, with-html, with-react-flow, with-tailwindcss, with-shadcn, with-webgpu, with-react-strict-dom, with-router-*) were being SKIPPED because the detection only looked for app/ at the example root. All 11 of those now flip to PASS through the same expo-router/entry placeholder path; their package.json still points main at expo-router/entry, just the route tree lives one level deeper.
@OmgImAlexis
docs(expo-examples): update baseline — 67/69 PASS
0e34b6b 
Full sweep after the shim rounds. Numbers: PASS 67, BUNDLE_FAIL 0, BOOT_FAIL 0, SKIPPED 2 (with-router has no app code; with-yarn-workspaces is a monorepo wrapper). Up from baseline 10/69. Round-by-round progression: 10 -> 26 -> 37 -> 42 -> 47 -> 51 -> 54 -> 56 -> 67.
@OmgImAlexis
feat(rn): bump React Native 0.81 -> 0.85.3 + Hermes 0.16 + new Schedu…
1dd8f5f 
…ler hook

Workspace bump: react-native ^0.85.3, react 19.2.3, react-test-renderer 19.2.3, @react-native/babel-preset ^0.85.3, @react-native/metro-config ^0.85.3 across all five workspace package.json files. C++ surface changes for 0.85: (1) ContextContainer::Shared was removed — replaced with std::shared_ptr<const ContextContainer> in TextLayoutManager.cpp + RNLinuxHost.cpp (the toolbox.componentRegistryFactory lambda signature). (2) SchedulerDelegate gained a new pure virtual schedulerShouldMergeReactRevision(SurfaceId) for React Server Components / View Transitions — added a no-op override in LinuxSchedulerDelegate. (3) RN 0.85 split jsinspector-modern further (TraceEventSerializer + ConsoleTaskOrchestrator + ConsoleTask + ConsoleTaskContext + network/HttpUtils + network/CdpNetwork are now standalone TUs), added a perf/cdpmetrics layer (CdpMetricsReporter + CdpPerfIssuesReporter + CdpInteractionTypes), and introduced a C++ animation backend (renderer/animationbackend/AnimationBackend + AnimationBackendCommitHook + AnimatedPropsRegistry + AnimatedPropSerializer) — Scheduler constructs all of these unconditionally, so added them to the rn_renderer glob. (4) Hermes pin bumped from RN 0.81 sha (e0fc6714) to hermes-v0.16.0 (d527210). Hermes 0.16 renamed the library target from libhermes/hermes to hermesvm; FetchHermes.cmake now prefers hermesvm and falls back. Hermes 0.16s JSI ABI is still compatible with our bindings — no porting work needed in vnext/src/jsi/. Verified end-to-end: smoke-playground on index.tsx produces 13789 colours, JSX commit done, no crash.
@OmgImAlexis
fix(zustand): memoize selector result + return shallow as default export
f207b95 
Two bugs surfaced when running with-zustand interactively (smoke gate didn't catch either — the ErrorBoundary fell back to a rendered surface that still passed the pixel/colour check). (1) useStore did useSyncExternalStore(subscribe, () => sel(getState()))

Returning a fresh object reference every getSnapshot call trips React's tear-detection: The result of getSnapshot should be cached and the render loops to Maximum update depth exceeded. Fix: cache the last selector result via useRef and reuse it whenever the equality fn (Object.is or the consumer's shallow) reports the new selection matches. (2) zustand/shallow returned {shallow} as a namespace object, so import shallow from zustand/shallow gave the namespace not the function — useStore's typeof equalityFn === function check failed and it fell back to Object.is, which never matches fresh selector outputs. Fix: emit the sub-path as a __esModule-stamped namespace with both default and named exports pointing at the function so either import shape works.
@dependabot
chore(deps-dev): bump esbuild from 0.25.12 to 0.28.0
f9f76a2 
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.25.12 to 0.28.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md)
- [Commits](evanw/esbuild@v0.25.12...v0.28.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Jun 1, 2026

Labels

The following labels could not be found: javascript. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@OmgImAlexis