Bump terser and parcel

[dependabot[bot]]

Bumps terser to 5.16.8 and updates ancestor dependency parcel. These dependencies need to be updated together.

Updates terser from 3.17.0 to 5.16.8

Changelog

Sourced from terser's changelog.

v5.16.8

• Become even less conservative around function definitions for reduce_vars
• Fix parsing context of import.meta expressions such that method calls are allowed

v5.16.7

• Become less conservative with analyzing function definitions for reduce_vars
• Parse import.meta as a real AST node and not an object.property

v5.16.5

• Correctly handle AST transform functions that mutate children arrays
• Don't mutate the options object passed to Terser (#1342)
• Do not treat BigInt like a number

v5.16.4

• Keep (defaultArg = undefined) => ..., because default args don't count for function length
• Prevent inlining variables into ?. optional chains
• Avoid removing unused arguments while transforming
• Optimize iterating AST node lists
• Make sure catch and finally aren't children of try in the AST
• Use modern unicode property escapes (\p{...}) to parse identifiers when available

v5.16.3

• Ensure function definitions, don't assume the values of variables defined after them.

v5.16.2

• Fix sourcemaps with non-ascii characters (#1318)
• Support string module name and export * as (#1336)
• Do not move let out of for initializers, as it can change scoping
• Fix a corner case that would generate the invalid syntax if (something) let x ("let" in braceless if body)
• Knowledge of more native object properties (#1330)
• Got rid of Travis (#1323)
• Added semi-secret asObject sourcemap option to typescript defs (#1321)

v5.16.1

• Properly handle references in destructurings (const { [reference]: val } = ...)
• Allow parsing of .#privatefield in nested classes
• Do not evaluate operations that return large strings if that would make the output code larger
• Make collapse_vars handle block scope correctly
• Internal improvements: Typos (#1311), more tests, small-scale refactoring

v5.16.0

• Disallow private fields in object bodies (#1011)

... (truncated)

Commits

• b79e49a 5.16.8
• 350d534 lint
• 7c5b980 update changelog
• e1d7b80 allow chaining methods into import.meta. Closes #1358
• 21600d9 close #1338 where possible (#1360)
• 9117695 5.16.6
• 96abde5 update changelog
• 4d6c4f6 Fix output increase by walking function definitions first. Closes #1338 while...
• 8a1b240 Parse import.meta as a special expression. Closes #1349
• c7d844b 5.16.5
• Additional commits viewable in compare view

Updates parcel from 1.12.4 to 2.8.3

Release notes

Sourced from parcel's releases.

v2.8.3

• Core
  • filter out title execArgv to workers – Details
• Bundler
  • Fix CSS order when merging type change bundles – Details
  • Fix assertion error when mixing CSS modules and non-modules – Details
  • Fix set diff – Details
  • Recursively check reachability when removing asset graphs from bundles in deduplication – Details
• JavaScript
  • Don't retarget dependencies if a symbol is imported multiple times with different local names – Details
  • Fix assigning to this in CommonJS – Details
  • Bump SWC to fix dead branch removal bug – Details
  • Bump swc to fix sourcemaps with Windows line endings – Details
  • Add test cases for ESM initialization problems – Details
• TypeScript
  • Fix TSC sourcemaps metadata – Details
• HTML
  • Fix srcset parsing – Details
• Dev server
  • Apply HMR updates in topological order – Details
  • Fixed the hmr connection with host 0.0.0.0 – Details

v2.8.2

Fixed

• Core
  • Ensure maxListeners for process.stdout accounts for workers – Details
• JavaScript
  • Bump SWC to fix scoping issue with block-less loops – Details
  • Fix requires of external CommonJS SWC helpers – Details

v2.8.1

Fixed

• Core
  • fix: remove @​parcel/utils dep in @​parcel/graph – Details
• JavaScript
  • Don't retarget dependencies with * – Details
  • Fix overriding single export of a export * – Details
  • Add mjs and cjs to resolver extensions – Details
• TypeScript
  • Make ts-types transformer work with TS >= 4.8 – Details
• Web manifest
  • Parse shortcut icons in web app manifests – Details
• SVG
  • Fix transformer-svg-react not finding .svgrrc – Details

v2.8.0

Blog post: https://parceljs.org/blog/v2-8-0/

... (truncated)

Changelog

Sourced from parcel's changelog.

[2.8.3] - 2023-01-18

• Core
  • filter out title execArgv to workers – Details
• Bundler
  • Fix CSS order when merging type change bundles – Details
  • Fix assertion error when mixing CSS modules and non-modules – Details
  • Fix set diff – Details
  • Recursively check reachability when removing asset graphs from bundles in deduplication – Details
• JavaScript
  • Don't retarget dependencies if a symbol is imported multiple times with different local names – Details
  • Fix assigning to this in CommonJS – Details
  • Bump SWC to fix dead branch removal bug – [Details](parcel-bundler/parcel#8742
  • Bump swc to fix sourcemaps with Windows line endings – Details
  • Add test cases for ESM initialization problems – Details
• TypeScript
  • Fix TSC sourcemaps metadata – Details
• HTML
  • Fix srcset parsing – Details
• Dev server
  • Apply HMR updates in topological order – Details
  • Fixed the hmr connection with host 0.0.0.0 – Details

[2.8.2] - 2022-12-14

• Core
  • Ensure maxListeners for process.stdout accounts for workers – Details
• JavaScript
  • Bump SWC to fix scoping issue with block-less loops – Details
  • Fix requires of external CommonJS SWC helpers – Details

[2.8.1] - 2022-12-07

Fixed

• Core
  • fix: remove @​parcel/utils dep in @​parcel/graph – Details
• JavaScript
  • Don't retarget dependencies with * – Details
  • Fix overriding single export of a export * – Details
  • Add mjs and cjs to resolver extensions – Details
• TypeScript
  • Make ts-types transformer work with TS >= 4.8 – Details
• Web manifest
  • Parse shortcut icons in web app manifests – Details
• SVG
  • Fix transformer-svg-react not finding .svgrrc – Details

[2.8.0] - 2022-11-09

... (truncated)

Commits

• 349a6ca v2.8.3
• a86c53c Changelog for v2.8.3
• 7023c08 Address bug by updating an asset reference and merge conditions (#8762)
• ddae31a Fix CSS order when merging type change bundles (#8766)
• 2172672 fixing failing build for contributors on Linux using Node 18 (#8763)
• 723e844 Extension: Importers View and separate LSP protocol package (#8747)
• e2deeec Bump swc to fix sourcemaps with Windows line endings (#8756)
• fdae6c0 Apply HMR updates in topological order (#8752)
• e21af59 Make extension packaging work (#8730)
• c97cf38 Typed api.storeResult (#8732)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[socket-security[bot]]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @parcel/[email protected]
• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]

🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package	Location	Source
@parcel/[email protected] (upgraded)	binding.gyp	package-lock.json via [email protected]
[email protected] (added)	binding.gyp	package-lock.json via [email protected]
[email protected] (added)	binding.gyp	package-lock.json via [email protected]

Pull request alert summary

Issue	Status
Install scripts	✅ 0 issues
Native code	⚠️ 3 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

⬆️ Updated Package	Version Diff	Capability Access	+/- Transitive Count	Publisher
[email protected]	1.12.4...2.8.3	eval, network, filesystem, shell, environment	+137/-562	devongovett