tools(deps): bump esbuild and vercel in /tools

[dependabot]

Bumps esbuild to 0.27.0 and updates ancestor dependency vercel. These dependencies need to be updated together.

Updates esbuild from 0.14.47 to 0.27.0

Release notes

Sourced from esbuild's releases.

v0.27.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.26.0 or ~0.26.0. See npm's documentation about semver for more information.

• Use Uint8Array.fromBase64 if available (#4286)

  With this release, esbuild's binary loader will now use the new Uint8Array.fromBase64 function unless it's unavailable in the configured target environment. If it's unavailable, esbuild's previous code for this will be used as a fallback. Note that this means you may now need to specify target when using this feature with Node (for example --target=node22) unless you're using Node v25+.

• Update the Go compiler from v1.23.12 to v1.25.4 (#4208, #4311)

  This raises the operating system requirements for running esbuild:

  • Linux: now requires a kernel version of 3.2 or later
  • macOS: now requires macOS 12 (Monterey) or later

v0.26.0

• Enable trusted publishing (#4281)

  GitHub and npm are recommending that maintainers for packages such as esbuild switch to trusted publishing. With this release, a VM on GitHub will now build and publish all of esbuild's packages to npm instead of me. In theory.

  Unfortunately there isn't really a way to test that this works other than to do it live. So this release is that live test. Hopefully this release is uneventful and is exactly the same as the previous one (well, except for the green provenance attestation checkmark on npm that happens with trusted publishing).

v0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• 2b91699 publish 0.27.0 to npm
• 22b425c fix #4286: use Uint8Array.fromBase64 if present (#4295)
• 6d187ef update go 1.25.3 => 1.25.4
• 9d0d4e7 update go 1.23.12 => 1.25.3 (#4318)
• b6979d8 use a patched go compiler for release builds
• 893d2b9 delete temporary release.yml workflow
• cee3918 add a temporary release.yml workflow
• f5bb1d6 fix publish.yml
• 17ff82b publish 0.26.0 to npm
• f87181f enable trusted publishing (#4319)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates vercel from 32.0.0 to 50.12.3

Release notes

Sourced from vercel's releases.

vercel@50.12.3

Patch Changes

• Updated dependencies [9561dbff50f66222cbc99d2a00042338ec692b4f, 299527554c6dc1b94b08e89c677231409005cc75]:
  • @​vercel/next@​4.15.24
  • @​vercel/python@​6.7.0

vercel@50.12.2

Patch Changes

• Add source and defaultResourceName query params to legacy integration add web UI path (#14868)

• [services] build time service url env vars (#14893)

• Updated dependencies [fc357e11cb4b00ab8ec413a0ea3586a87e733f0e, 84f121190813b2840a6a16279dcaa75dcb2872cd, ff320caa5c8a0857aad0b989699207a6a703256f]:

  • @​vercel/build-utils@​13.3.2
  • @​vercel/go@​3.4.0
  • @​vercel/backends@​0.0.29
  • @​vercel/elysia@​0.1.31
  • @​vercel/express@​0.1.40
  • @​vercel/fastify@​0.1.34
  • @​vercel/h3@​0.1.40
  • @​vercel/hono@​0.2.34
  • @​vercel/hydrogen@​1.3.5
  • @​vercel/koa@​0.1.14
  • @​vercel/nestjs@​0.2.35
  • @​vercel/next@​4.15.23
  • @​vercel/node@​5.5.32
  • @​vercel/python@​6.6.0
  • @​vercel/redwood@​2.4.9
  • @​vercel/remix-builder@​5.5.10
  • @​vercel/ruby@​2.2.5
  • @​vercel/rust@​1.0.5
  • @​vercel/static-build@​2.8.33

vercel@50.12.1

Patch Changes

• Add support for VERCEL_TOKEN environment variable (#14831)

  The CLI now reads the VERCEL_TOKEN environment variable as an alternative to the --token flag. This allows for easier scripting and CI/CD integration without needing to pass the token as a command-line argument.

  The --token flag takes precedence over the environment variable when both are provided.

• Fix vc link --repo in git worktree (#14867)

• Simplify CLI update prompt to yes/no confirmation with changelog link in body (#14885)

• Updated dependencies [df1d02d5257e33dc10640b20eea1c1e59c5842cf, e558a1657f5aa43048cde0f3b97bead7c9bf1070]:

  • @​vercel/next@​4.15.23

... (truncated)

Changelog

Sourced from vercel's changelog.

50.12.3

Patch Changes

• Updated dependencies [9561dbff50f66222cbc99d2a00042338ec692b4f, 299527554c6dc1b94b08e89c677231409005cc75]:
  • @​vercel/next@​4.15.24
  • @​vercel/python@​6.7.0

50.12.2

Patch Changes

• Add source and defaultResourceName query params to legacy integration add web UI path (#14868)

• [services] build time service url env vars (#14893)

• Updated dependencies [fc357e11cb4b00ab8ec413a0ea3586a87e733f0e, 84f121190813b2840a6a16279dcaa75dcb2872cd, ff320caa5c8a0857aad0b989699207a6a703256f]:

  • @​vercel/build-utils@​13.3.2
  • @​vercel/go@​3.4.0
  • @​vercel/backends@​0.0.29
  • @​vercel/elysia@​0.1.31
  • @​vercel/express@​0.1.40
  • @​vercel/fastify@​0.1.34
  • @​vercel/h3@​0.1.40
  • @​vercel/hono@​0.2.34
  • @​vercel/hydrogen@​1.3.5
  • @​vercel/koa@​0.1.14
  • @​vercel/nestjs@​0.2.35
  • @​vercel/next@​4.15.23
  • @​vercel/node@​5.5.32
  • @​vercel/python@​6.6.0
  • @​vercel/redwood@​2.4.9
  • @​vercel/remix-builder@​5.5.10
  • @​vercel/ruby@​2.2.5
  • @​vercel/rust@​1.0.5
  • @​vercel/static-build@​2.8.33

50.12.1

Patch Changes

• Add support for VERCEL_TOKEN environment variable (#14831)

  The CLI now reads the VERCEL_TOKEN environment variable as an alternative to the --token flag. This allows for easier scripting and CI/CD integration without needing to pass the token as a command-line argument.

  The --token flag takes precedence over the environment variable when both are provided.

• Fix vc link --repo in git worktree (#14867)

• Simplify CLI update prompt to yes/no confirmation with changelog link in body (#14885)

... (truncated)

Commits

• 4f4db9a Version Packages (#14899)
• df04c98 Version Packages (#14890)
• ff320ca [services] build time service url env vars (#14893)
• 888c4cb feat(cli): Add source and defaultResourceName to legacy integration add pat...
• 7a74734 [python-analysis] Fix ESM compatibility (#14869)
• 9732c93 Version Packages (#14887)
• 1ea69c0 Add support for VERCEL_TOKEN environment variable (#14831)
• 927c822 Fix vc link --repo in git worktree (#14867)
• f457ce1 fix(cli): Simplify update prompt to yes/no confirmation (#14885)
• 14e7cf1 Version Packages (#14862)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tact	Error		Feb 6, 2026 8:23am