Skip to content

deps: Bump esbuild from 0.27.7 to 0.28.0 in /vscode-mdl#98

Merged
ako merged 1 commit intomainfrom
dependabot/npm_and_yarn/vscode-mdl/esbuild-0.28.0
Apr 4, 2026
Merged

deps: Bump esbuild from 0.27.7 to 0.28.0 in /vscode-mdl#98
ako merged 1 commit intomainfrom
dependabot/npm_and_yarn/vscode-mdl/esbuild-0.28.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 3, 2026
edited
Loading

Bumps esbuild from 0.27.7 to 0.28.0.

Release notes

Sourced from esbuild's releases.

v0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

Changelog

Sourced from esbuild's changelog.

0.28.0

  • Add support for with { type: 'text' } imports (#4435)

    The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

    import string from './example.txt' with { type: 'text' }
console.log(string)

  • Add integrity checks to fallback download path (#4343)

    Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

    This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

  • Update the Go compiler from 1.25.7 to 1.26.1

    This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

    • It now uses the new garbage collector that comes with Go 1.26.
    • The Go compiler is now more aggressive with allocating memory on the stack.
    • The executable format that the Go linker uses has undergone several changes.
    • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

    You can read the Go 1.26 release notes for more information.

Commits
  • 6a794df publish 0.28.0 to npm
  • 64ee0ea fix #4435: support with { type: text } imports
  • ef65aee fix sort order in snapshots_packagejson.txt
  • 1a26a8e try to fix test-old-ts, also shuffle CI tasks
  • 556ce6c use '' instead of null to omit build hashes
  • 8e675a8 ci: allow missing binary hashes for tests
  • 7067763 Reapply "update go 1.25.7 => 1.26.1"
  • 39473a9 fix #4343: integrity check for binary download
  • See full diff in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 3, 2026

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 3, 2026

AI Code Review

What Looks Good

  • The PR performs a routine dependency update in the VS Code extension (vscode-mdl/package.json), bumping esbuild from ^0.27.3 to ^0.28.0.
  • The update incorporates esbuild's v0.28.0 improvements, including support for the import text proposal (with { type: 'text' } imports) and enhanced security via integrity checks in the fallback download path.
  • The change is isolated to the VS Code extension's build tooling and does not affect MDL syntax, Go code, core functionality, or the full-stack pipeline (grammar, AST, visitor, executor, etc.).
  • The project uses bun for the VS Code extension (per CLAUDE.md), and esbuild's breaking changes in v0.28.0 relate to npm installation paths, which are unlikely to impact the extension's bun-based build process.

Recommendation

Approve. The dependency bump is appropriate, well-scoped, and poses no risks to the project's MDL functionality or code quality. No changes to the review checklist items are required as this is purely a dependency update in the VS Code extension.

Automated review via OpenRouter (Nemotron Super 120B) — workflow source

@dependabot
deps: bump esbuild from 0.27.7 to 0.28.0 in /vscode-mdl
8177da8 
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.7 to 0.28.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.7...v0.28.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.28.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot changed the title deps: bump esbuild from 0.27.7 to 0.28.0 in /vscode-mdl deps: Bump esbuild from 0.27.7 to 0.28.0 in /vscode-mdl Apr 4, 2026
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/vscode-mdl/esbuild-0.28.0 branch from d2f571a to 8177da8 Compare April 4, 2026 13:10
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 4, 2026

AI Code Review

What Looks Good

  • The PR updates a single dependency (esbuild) in the VS Code extension's devDependencies, which is a routine maintenance task.
  • The esbuild 0.28.0 release includes beneficial improvements: support for the import text proposal (stage 3), integrity checks for fallback downloads (enhancing security/reliability), and a Go compiler update.
  • The change is minimal, focused, and follows standard dependency update practices.
  • No risks are apparent given that the VS Code extension uses bun (not npm/node) for installation, mitigating concerns about the npm-specific breaking change mentioned in the release notes.

Recommendation

Approve the PR. This dependency update is safe and brings worthwhile improvements without introducing conflicts or violations of the project's guidelines. No changes are required.

Automated review via OpenRouter (Nemotron Super 120B) — workflow source

@ako ako merged commit b8af2bc into main Apr 4, 2026
4 checks passed
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/vscode-mdl/esbuild-0.28.0 branch April 4, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ako