Upstream update available: esbuild 0.27.2 → 0.28.0 #2

New issue

Open

opened 2026-04-28 01:08:43 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-04-28 01:08:43 +03:00

Owner

Upstream update available: `esbuild` `0.27.2` → `0.28.0`

Package

Package: esbuild
RPM name: esbuild
Branch: niceos-5.2
Current EVR: 0.27.2-1
Update class: minor
Compare method: python_rpm
Update policy: leaf
Risk tags: github-upstream

Upstream

Upstream type: github
Upstream project: evanw/esbuild
Upstream URL: github.com — esbuild
Detected version: 0.28.0
Tag/release: v0.28.0
Source: github_release_latest
Published: 2026-04-02T20:38:53Z
Release URL: github.com — v0.28.0
Source URL: api.github.com — v0.28.0
Pre-release: False

Signals

Security-relevant keywords detected: False
Policy blocked: False
Policy reason: -
Labels: ai-summary, bot, needs-build, needs-triage, priority/medium, update/minor, upstream-update, upstream/github

NiceSOFT AI preliminary stability analysis

1. Краткий вывод

Пакет esbuild получил мелкий обновлённый функционал (поддержку with { type: 'text' } и улучшения в Go-компиляторе), но нет значимых изменений в API. Обновление допустимо, но требует проверки RPM-спецификации на совместимость с новыми параметрами.

2. Риски

Секура: Нет обнаруженных CVE или других угроз.
ABI/API: Нет значимых изменений в интерфейсе, поэтому риск потери совместимости низкий.
Ресурсы: Нет изменений в внутренних структурах, поэтому риск нарушения работы приложений низкий.

3. Рекомендации

Обновление: Допустимо, так как изменений в API нет.
Проверка RPM-спецификации: Убедиться, что сборка не зависит от старых версий Go или других компонентов.
Ручная проверка: Нужна для уточнения совместимости с текущими настройками системы.

4. Дополнительные замечания

Обновление включает поддержку with { type: 'text' } в JavaScript, что может быть полезно для приложений с текстовыми интерфейсами.
Улучшения в Go-компиляторе могут влиять на производительность, но не на стабильность.

5. Итог

Обновление допустимо, но требует внимательной проверки RPM-спецификации. Риск потери совместимости низкий, но рекомендуется провести ручную проверку для исключения возможных проблем.

Источники, найденные web_search

Upstream release notes / description

Add support for with { type: 'text' } imports (#4435)

The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:
```
import string from './example.txt' with { type: 'text' }
console.log(string)
```
Add integrity checks to fallback download path (#4343)

Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.
Update the Go compiler from 1.25.7 to 1.26.1

This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:
- It now uses the new garbage collector that comes with Go 1.26.
- The Go compiler is now more aggressive with allocating memory on the stack.
- The executable format that the Go linker uses has undergone several changes.
- The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.
You can read the Go 1.26 release notes for more information.

NiceOS maintainer checklist

Confirm that the detected version is a stable upstream release.
Check upstream changelog for security fixes, ABI/API changes and build-system changes.
Check ABI/API compatibility and reverse dependencies.
Download source into NiceOS lookaside storage.
Update Version and related fields in SPECS/*.spec only if policy allows it.
Regenerate SOURCES/sources.lock.json, manifests, metadata and SBOM.
Build SRPM/RPM in a clean NiceOS buildroot.
Run package smoke tests.
Link PR/build logs and close this issue after update or triage.

Bot metadata

Tool: niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages
Generated at: 2026-06-10T23:23:59Z

# Upstream update available: `esbuild` `0.27.2` → `0.28.0` ## Package - Package: `esbuild` - RPM name: `esbuild` - Branch: `niceos-5.2` - Current EVR: `0.27.2-1` - Update class: `minor` - Compare method: `python_rpm` - Update policy: `leaf` - Risk tags: `github-upstream` ## Upstream - Upstream type: `github` - Upstream project: `evanw/esbuild` - Upstream URL: <a href="https://github.com/evanw/esbuild" target="_blank" rel="noopener noreferrer">github.com — esbuild</a> - Detected version: `0.28.0` - Tag/release: `v0.28.0` - Source: `github_release_latest` - Published: `2026-04-02T20:38:53Z` - Release URL: <a href="https://github.com/evanw/esbuild/releases/tag/v0.28.0" target="_blank" rel="noopener noreferrer">github.com — v0.28.0</a> - Source URL: <a href="https://api.github.com/repos/evanw/esbuild/tarball/v0.28.0" target="_blank" rel="noopener noreferrer">api.github.com — v0.28.0</a> - Pre-release: `False` ## Signals - Security-relevant keywords detected: `False` - Policy blocked: `False` - Policy reason: `-` - Labels: `ai-summary, bot, needs-build, needs-triage, priority/medium, update/minor, upstream-update, upstream/github` ## NiceSOFT AI preliminary stability analysis ### 1. Краткий вывод Пакет esbuild получил мелкий обновлённый функционал (поддержку `with { type: 'text' }` и улучшения в Go-компиляторе), но нет значимых изменений в API. Обновление допустимо, но требует проверки RPM-спецификации на совместимость с новыми параметрами. --- ### 2. Риски - **Секура**: Нет обнаруженных CVE или других угроз. - **ABI/API**: Нет значимых изменений в интерфейсе, поэтому риск потери совместимости низкий. - **Ресурсы**: Нет изменений в внутренних структурах, поэтому риск нарушения работы приложений низкий. --- ### 3. Рекомендации - **Обновление**: Допустимо, так как изменений в API нет. - **Проверка RPM-спецификации**: Убедиться, что сборка не зависит от старых версий Go или других компонентов. - **Ручная проверка**: Нужна для уточнения совместимости с текущими настройками системы. --- ### 4. Дополнительные замечания - Обновление включает поддержку `with { type: 'text' }` в JavaScript, что может быть полезно для приложений с текстовыми интерфейсами. - Улучшения в Go-компиляторе могут влиять на производительность, но не на стабильность. --- ### 5. Итог Обновление допустимо, но требует внимательной проверки RPM-спецификации. Риск потери совместимости низкий, но рекомендуется провести ручную проверку для исключения возможных проблем. ### Источники, найденные web_search 1. <a href="https://github.com/evanw/esbuild/releases/tag/v0.28.0" target="_blank" rel="noopener noreferrer">GitHub release API: evanw/esbuild v0.28.0</a> 2. <a href="https://github.com/evanw/esbuild/tree/v0.28.0" target="_blank" rel="noopener noreferrer">GitHub tag page: evanw/esbuild v0.28.0</a> 3. <a href="https://github.com/evanw/esbuild/releases" target="_blank" rel="noopener noreferrer">GitHub releases page: evanw/esbuild</a> 4. <a href="https://github.com/evanw/esbuild/compare/v0.27.2...v0.28.0" target="_blank" rel="noopener noreferrer">GitHub compare page: evanw/esbuild v0.27.2...v0.28.0</a> 5. <a href="https://www.npmjs.com/package/esbuild" target="_blank" rel="noopener noreferrer">esbuild - NPM</a> 6. <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG.md" target="_blank" rel="noopener noreferrer">CHANGELOG.md - evanw/esbuild - GitHub</a> 7. <a href="https://classic.yarnpkg.com/en/package/esbuild" target="_blank" rel="noopener noreferrer">esbuild | Yarn</a> 8. <a href="https://www.liveworksheets.com/worksheet/en/english-second-language-esl/273520" target="_blank" rel="noopener noreferrer">Big small short… | Free Interactive Worksheets | 273520</a> 9. <a href="https://github.com/evanw/esbuild" target="_blank" rel="noopener noreferrer">evanw/esbuild: An extremely fast bundler for the web - GitHub</a> 10. <a href="https://www.pequerecetas.com/receta/filet-mignon/" target="_blank" rel="noopener noreferrer">Filet mignon, qué es y cómo hacer filete mignon con salsa</a> ## Upstream release notes / description * Add support for `with { type: 'text' }` imports (<a href="https://github.com/evanw/esbuild/issues/4435" target="_blank" rel="noopener noreferrer">#4435</a>) The <a href="https://github.com/tc39/proposal-import-text" target="_blank" rel="noopener noreferrer">import text</a> proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by <a href="https://docs.deno.com/examples/importing_text/" target="_blank" rel="noopener noreferrer">Deno</a> and <a href="https://bun.com/docs/guides/runtime/import-html" target="_blank" rel="noopener noreferrer">Bun</a>. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing <a href="https://esbuild.github.io/content-types/#text" target="_blank" rel="noopener noreferrer">`text` loader</a>. Here's an example: ```js import string from './example.txt' with { type: 'text' } console.log(string) ``` * Add integrity checks to fallback download path (<a href="https://github.com/evanw/esbuild/issues/4343" target="_blank" rel="noopener noreferrer">#4343</a>) Installing esbuild via npm is somewhat complicated with several different edge cases (see <a href="https://esbuild.github.io/getting-started/#additional-npm-flags" target="_blank" rel="noopener noreferrer">esbuild's documentation</a> for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the `npm` command, and then with a HTTP request to `registry.npmjs.org` as a last resort). This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level `esbuild` package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release. * Update the Go compiler from 1.25.7 to 1.26.1 This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases: - It now uses the <a href="https://go.dev/doc/go1.26#new-garbage-collector" target="_blank" rel="noopener noreferrer">new garbage collector</a> that comes with Go 1.26. - The Go compiler is now more aggressive with allocating memory on the stack. - The executable format that the Go linker uses has undergone several changes. - The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions. You can read the <a href="https://go.dev/doc/go1.26" target="_blank" rel="noopener noreferrer">Go 1.26 release notes</a> for more information. ## NiceOS maintainer checklist - [ ] Confirm that the detected version is a stable upstream release. - [ ] Check upstream changelog for security fixes, ABI/API changes and build-system changes. - [ ] Check ABI/API compatibility and reverse dependencies. - [ ] Download source into NiceOS lookaside storage. - [ ] Update `Version` and related fields in `SPECS/*.spec` only if policy allows it. - [ ] Regenerate `SOURCES/sources.lock.json`, manifests, metadata and SBOM. - [ ] Build SRPM/RPM in a clean NiceOS buildroot. - [ ] Run package smoke tests. - [ ] Link PR/build logs and close this issue after update or triage. ## Bot metadata - Tool: `niceos_upstream_monitor.py 2.1.3-local-websearch-github-release-pages` - Generated at: `2026-06-10T23:23:59Z`

sbelikov added the

labels

2026-04-28 01:08:43 +03:00