Bump esbuild, vite and vite-plugin-static-copy

[dependabot]

Bumps esbuild to 0.27.3 and updates ancestor dependencies esbuild, vite and vite-plugin-static-copy. These dependencies need to be updated together.

Updates esbuild from 0.21.5 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates vite from 5.4.21 to 7.3.1

Release notes

Sourced from vite's releases.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

v7.1.11

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.1 (2026-01-07)

Features

• add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

• deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

• plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

• config: handle shebang properly (#21158) (df5a30d)
• deps: update all non-major dependencies (#21146) (a3cd262)
• deps: update all non-major dependencies (#21175) (72e398a)
• fix external: true merging (#21164) (5ef557a)
• shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

• deps: replace debug with obug (#21137) (203a551)

Documentation

• clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

Bug Fixes

• revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

7.2.3 (2025-11-20)

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#21103) (5909efd)
• deps: update all non-major dependencies (#21096) (6a34ac3)
• deps: update all non-major dependencies (#21128) (4f8171e)

Performance Improvements

... (truncated)

Commits

• 95e8923 release: v7.3.1
• 9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
• acf7e05 release: v7.3.0
• cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
• 317b3b2 release: v7.2.7
• 721f163 fix: plugin shortcut support (#21211)
• bda5dbb release: v7.2.6
• 3aa7527 release: v7.2.5
• 72e398a fix(deps): update all non-major dependencies (#21175)
• 3765f7b fix: shortcuts not rebound after server restart (#21166)
• Additional commits viewable in compare view

Updates vite-plugin-static-copy from 1.0.6 to 3.2.0

Release notes

Sourced from vite-plugin-static-copy's releases.

vite-plugin-static-copy@3.2.0

Minor Changes

• #219 fbb2a7a Thanks @​sapphi-red! - Add environment option to configure which environment the plugin runs in. Defaults to 'client'.

vite-plugin-static-copy@3.1.6

Patch Changes

• #217 e3d457d Thanks @​sapphi-red! - Only skip non-client environments when multiple environments exist.

vite-plugin-static-copy@3.1.5

Patch Changes

• #214 3f252cc Thanks @​sapphi-red! - Only copy for the client environment.

vite-plugin-static-copy@3.1.4

Patch Changes

• #204 d0b5370 Thanks @​stianjensen! - Removed fs-extra dependency in favor of node:fs. This should not affect the behavior.

vite-plugin-static-copy@3.1.3

Patch Changes

• #202 9388186 Thanks @​sapphi-red! - Switched to use trusted publisher to publish the package.

vite-plugin-static-copy@3.1.2

Patch Changes

• #195 0bc6b49 Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

vite-plugin-static-copy@3.1.1

Patch Changes

• #186 fc84156 Thanks @​sapphi-red! - fix a bug that the content was not sent when multiple vite-plugin-static-copy instance was used

vite-plugin-static-copy@3.1.0

Minor Changes

• #171 9c7cf2e Thanks @​MrRefactoring! - add Vite 7 to peer dep range

vite-plugin-static-copy@3.0.2

Patch Changes

• #167 89458b2 Thanks @​sapphi-red! - improved file grouping algorithm for better performance

vite-plugin-static-copy@3.0.1

Patch Changes

• #166 60409c5 Thanks @​sapphi-red! - fix absolute destination paths in copy targets incorrectly returning contents in dev

... (truncated)

Changelog

Sourced from vite-plugin-static-copy's changelog.

3.2.0

Minor Changes

• #219 fbb2a7a Thanks @​sapphi-red! - Add environment option to configure which environment the plugin runs in. Defaults to 'client'.

3.1.6

Patch Changes

• #217 e3d457d Thanks @​sapphi-red! - Only skip non-client environments when multiple environments exist.

3.1.5

Patch Changes

• #214 3f252cc Thanks @​sapphi-red! - Only copy for the client environment.

3.1.4

Patch Changes

• #204 d0b5370 Thanks @​stianjensen! - Removed fs-extra dependency in favor of node:fs. This should not affect the behavior.

3.1.3

Patch Changes

• #202 9388186 Thanks @​sapphi-red! - Switched to use trusted publisher to publish the package.

3.1.2

Patch Changes

• #195 0bc6b49 Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

3.1.1

Patch Changes

• #186 fc84156 Thanks @​sapphi-red! - fix a bug that the content was not sent when multiple vite-plugin-static-copy instance was used

3.1.0

Minor Changes

• #171 9c7cf2e Thanks @​MrRefactoring! - add Vite 7 to peer dep range

3.0.2

... (truncated)

Commits

• 95ae5d5 chore: update versions (#220)
• fbb2a7a feat: add environment option (#219)
• fc9d07b chore: add compatiblePackages field
• 4bb09d2 chore: add funding field
• 305c32e chore: update versions (#218)
• e3d457d fix: skip non-client env only when multiple envs exist (#217)
• 4746d00 chore: update versions (#215)
• 3f252cc fix: skip copy for non-client environments (#214)
• a66d131 fix(deps): update all non-major dependencies (#209)
• 00a396b chore(deps): update actions/checkout action to v6 (#210)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite-plugin-static-copy since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.