feat: upgrade esbuild to 0.23

[SuperchupuDev]

mainly to avoid duplicated dependencies, also bumped pkgroll so that it uses esbuild 0.23.0 as well

closes #606

[timrc]

@SuperchupuDev Are there any major difference between esbuild versions? I mostly found code formatting changes.

[mesfahanisimscale]

evanw/esbuild#3802 It fixes these vulnerabilities.

[privatenumber]

How are those vulnerabilities exposed in tsx?

The response from the maintainer in that thread explains how that vulnerability report is a false alarm for esbuild.

(Am I missing something?)

[mesfahanisimscale]

It may not be directly relevant, but many projects rely on automated vulnerability checks and it's a good practice to try to get those vulnerabilities down. But it's also understandable if tsx doesn't want to risk an upgrade for the sake of a number.

In our case, we've worked around it by adding this to our package.json.

  "overrides": {
    "tsx": {
      "esbuild": "0.23.0"
    }
  }

[privatenumber]

Sounds like an issue with your vulnerability checker. Please report the issue to them—there's a pattern of these security tools that leverage FUD to pressure unimpactful work on others.

And we're back to the first question: what practical impact does this upgrade have on tsx?

[yegortokmakov]

+1 to updating esbuild and comments in the thread. This specific vulnerability might be irrelevant to tsx, but handling CVE is a must for a lot of companies and a best practice in general. It is common to use something like https://github.com/openvex/vexctl to track identified vulnerabilities and either suppress them with description or track progress for fixes.

[SuperchupuDev]

@privatenumber esbuild 0.22.0 comes with some ES2024 features such as the regular expression /v flag and it updates await using behavior to match typescript. is there any benefit not to update yet? as i don't think tsx will keep using an old esbuild version forever

[privatenumber]

Doesn't it raise any eyebrows for ya'll that no one can explain the practical impact of this work?

This is your time being wasted because of some security tool that profits from enterprise clients by blasting CVEs to create FUD.

Please don't involve my free open source projects into this.

---

@yegortokmakov
If you're telling me that you can suppress the vulnerability with an explanation, I'm confused why you opted to pressure a stranger online to do free work for you instead?

Would your company be open to an enterprise sponsorship? I'd be happy to do work for sponsors.

@SuperchupuDev
I appreciate your contribution. But as you know, tsx's goal is TypeScript parity.

I'm not against this PR, but I don't want to set the precedent of making releases without a reason. And it feels especially strange that no one can give a good reason.

Are you able to demonstrate how a TS feature currently broken in tsx can be fixed with this upgrade?

[mesfahanisimscale]

some security tool that profits from enterprise clients by blasting CVEs to create FUD.

Looks like a matter of principle for you. At the end it's your package and you do what you see fit.

[privatenumber]

It's more confusion that people are really trying to pressure strangers online to do free work to scratch their own itch without even scrutinizing the validity of the issue.

Anyway, to move forward, all I need is one demonstration of how a bug can be fixed with this change. Not much to ask for, I think. I will be hiding all comments that are not relevant to this.

[SuperchupuDev]

@privatenumber here is repro code for something that's supposed to be fixed in esbuild 0.22.0, passes in typescript and fails in current tsx (see microsoft/TypeScript#58624, evanw/esbuild@6475aea)

code

export const output: any[] = [];
export async function main() {
  const promiseDispose = new Promise<void>(resolve => {
    setTimeout(() => {
      output.push('y dispose promise body');
      resolve();
    }, 0);
  });
  {
    await using x = {
      async [Symbol.asyncDispose]() {
        output.push('x asyncDispose body');
      }
    };
    await using y = {
      [Symbol.dispose]() {
        output.push('y dispose body');
        return promiseDispose;
      }
    };
  }
  output.push('body');
  await promiseDispose;
  return output;
}

export const a = async () => {
  const output2 = await main();
  const expected = ['y dispose body', 'x asyncDispose body', 'body', 'y dispose promise body'];
  if (output2.join(',') !== expected.join(',')) {
    throw `fail: ${output}`;
  }
  console.log('pass');
};

await a();

[SuperchupuDev]

it works in latest esbuild:

[privatenumber]

Thanks @SuperchupuDev, I appreciate you demonstrating a real impact of this PR 🙌

Will look into releasing this tomorrow!

[privatenumber]

This issue is now resolved in v4.17.0.

If you're able to, your sponsorship would be very much appreciated.