- Use
hasown
instead ofhas
. (4b1a5dc) - Use
String.prototype.slice
instead ofString.prototype.substr
. (#2036) - Support relative paths in the
noParse
option. (#2080)
- Upgrade events to v3.x. EventEmitter instances now have an
off()
method.require('events').once
can be used to react to an event being emitted withasync
/await
syntax. (#1839) - Upgrade path-browserify to v1.x. (#1838)
- Upgrade stream-browserify to v3.x.
require('stream')
now matches the Node.js 10+ API. (#1970) - Upgrade util to v0.12. Most notably,
util.promisify
andutil.callbackify
are finally available by default in browserify. (#1844) - Add JSON syntax checking. Syntax errors in
.json
files will now fail to bundle. (#1700)
Upgrade browser-resolve to v2.
Remove deprecated mkdirp
version in favour of mkdirp-classic
.
https://github.com/browserify/browserify/commit/00c913fa345dbb7f612bdad6b4acc91c706e98b2
Pin dependencies for Node.js 0.8 support.
Support custom name for "browser"
field resolution in package.json
using the browserField
option.
Upgrade stream-http to v3. This version drops support for IE10 and below.
add empty stub for the http2
builtin module.
update license text to remove references to code that is no longer included.
add more tests for folder resolution.
add empty stub for the inspector
builtin module.
change the "browser" field link to the browser-field-spec repo instead of the old gist.
Remove some extraneous files from the published package.
Fix relative --external
paths on Windows.
Fix tests to work on Windows, and add Appveyor CI for Windows testing.
update the browser versions of vm-browserify
and string_decoder
.
string_decoder
updates to the Node 8+ API.
vm-browserify
replaces an unlicensed dependency by an MIT one.
add empty stub for the perf_hooks
builtin module.
add bare
and node
options to the API, same as the --bare
and --node
CLI arguments.
add --preserve-symlinks
option from Node 6.3
update the browser version of events
to 2.0.0—this version adds methods like prependListener
that were introduced in recent node versions, but it is also twice the size of events v1.x (2KB instead of 1KB).
Dynamically calculate __dirname
and __filename
when --node
is passed
upgrade module-deps, see https://github.com/browserify/module-deps/releases/tag/v6.0.0
https://github.com/browserify/browserify/commit/e5e1ec8799f1007a56118ae46646e0048385ed84
create parent directories if they do not exist when --outfile /x/y/z/bundle.js
is used
add regression test for object rest spread syntax
restore support for node < 4.0
until we can decide on a support schedule
fixed repository url in package.json.
https://github.com/browserify/browserify/commit/5ec19eed48a5f46cb48d44be8ffc2f6bfb73fbfb
update module-deps
to 5.0.0, which enables requiring modules in backtick-enclosed strings.
dropped testing in node 0.10 and 0.12, set supported node versions to >=4
add support for passing arrays to the exclude
and ignore
methods.
update os-browserify
to 0.3.0, which adds a shim for node.js's os.homedir
method.
update browserify-zlib
to 0.2.0, which adds support for dictionaries.
update string_decoder
to 1.0.0, which matches the latest node.js behavior more closely.
update https-browserify
to 1.0.0, which matches node.js behavior more closely.
- throw exception if non-https URL is passed to
https.request
orhttps.get
- support passing string URL as first argument to
https.request
andhttps.get
adds a --transform-key flag to the command-line tool
writes to a temp outfile until success
Previously, browserify would overwrite output files when an error occurs.
Updates the version of the buffer package, which drops support for IE8-10.
buffer v5 removes the Object
implementation and relies on a single,
fast Typed Array (Uint8Array
) implementation, greatly simplifying the
maintanence of the buffer package.
If IE8-10 support is critical to your web app, you can continue to rely on browserify v13, or see the PR for other workarounds.
updates the version for the assert package
allow configuring transformKey from module-deps #1670
boost performance by memoizing calls to path.relative()
exposes opts.dedupe
and --no-deupe
to optionally turn off deduping behavior:
#1581
#1552, #1555: Use native Array.isArray
and drop isarray
dep. (@kt3k)
This release bumps the buffer
dependency
to v4, which has one possible breaking change:
- The
buffer.toArrayBuffer()
method onBuffer
instances has been removed.
(This is probably not a problem for 99.9% of users.)
This API was added in node v0.11.8 and
removed before v0.12 was released.
It was added to browserify's buffer
implementation but was never removed when v0.12
was released. buffer
v4 removes it so we have full parity with node.js.
Going forward, to get an ArrayBuffer
from a node.js-style Buffer
, users should
just use buffer.buffer
. This works because Buffer
is a subclass of Uint8Array
in both the browser and node.js (since v3).
On the plus side, this release also includes:
- Performance improvements to
buffer
that increase the speed of some buffer methods by as much as 30%!
normalizes module paths on windows to consistently use /
adds the previously failing tests and a small change necessary for transforms to be applied properly for symlinked packages
Node support changes: now testing against the latest node (currently 4.2.1). node 0.8 is no longer supported, and iojs isn't actively tested.
Stream3 everywhere! Everything has been updated to use streams3.
Sourcemaps charset now uses an =
instead of a :
. This fixes certain issues
with Chinese characters in sourcemaps. See #753.
module-deps has been updated to fix root transforms on symlinked modules. See browserify/module-deps#99.
stream-http, the module that provides http
support, dropped IE8 support. If
you depend on this, see https://github.com/jhiesey/stream-http#ie8-note.
Removed builtins
and commondir
– both unused dependencies.
When bundleExternal
is set to false
, process
and buffer
are now correctly excluded. Also, using --igv
via the CLI now works. That also means that --bare
and --node
actually insert __filename
and __dirname
.
adds a '.'
to extensions if it wasn't added
The callback form of bundle() uses the returned output stream instead of the
pipeline so that the 'end'
event will fire on the bundle instance.
browserify/watchify#249 (comment)
The readable-stream
dependency was updated to ^2.0.0
. This package is inserted into bundles as require('stream')
. Bundles will now get the latest streams implementation from io.js/node.js core, instead of an old version from node.js 0.11.x. Go forth and stream ALL THE DATA without fear!
John Hiesey rewrote the http-browserify package
to create stream-http, an implemention of http
that supports streaming in modern browsers. Before v11.0.0, in most situations when you used http.get
or http.request
, the entire request would buffer in memory until the download was complete, and a single 'data'
event was emitted with the entire response as a string.
stream-http
uses the Fetch API and various browser-specific XHR extensions to make binary streaming http requests work in as many browsers as possible.
The following browsers support true streaming, where only a small amount of the request has to be held in memory at once:
- Chrome >= 43 (using the
fetch
api) - Firefox >= 9 (using
moz-chunked-arraybuffer
responseType with XHR)
The following browsers support pseudo-streaming, where the data is available before the request finishes, but the entire response must be held in memory:
- Safari >= 5
- IE >= 10
- Most other Webkit-based browsers, including the default Android browser
Older browsers will work, without streaming support. There is no support for IE6 or IE7.
Compared to http-browserify
, it is not necessary to set options.responseType
. The responseType
property of the XHR object will be set automatically depending on what features are detected in the browser (although see options.mode
in the readme to see how you can optimize this choice manually).
The response
is a streams3 stream, so all data is passed as Buffer
s, unlike the variable types provided by the 'data'
event in http-browserify
. This behavior tries to mimic the node core http
module as closely as possible.
If you're brave, go ahead and give v11.0.0 a try today!
uses the non-sync version of fs.realpath
fixes an issue with symlinked files executing multiple times
fixes requiring an entry from another entry
remove unused dep "deep-equal" and unused file "lib/_exclude.js"
fixes an errant space in the --no-browser-field
flag alias
that kept it from working
fix tests for tap@^1.1.0 (and update tap)
housekeeping - removed unused code
remove unnecessary "isDedupe" json check. this was a hack-fix for watchify <=2.4.
fixes for the "noParse" path matcher.
add syntax check cache. this speeds up rebuilds (like when using watchify).
update to browser-pack@^5.0.0 - includes several fixes related to source maps.
Replace jsonstream with JSONStream
Replace JSONStream with jsonstream Update deps to avoid jsonstream npm case problems
#1247 https://github.com/substack/node-browserify/commit/1ca71e23
ensures that entry paths are always full paths
adds --no-browser-field
and opts.browserField = false
behavior to turn off
the package.json browser field. This is useful if you want to make a bundle with
a target of node or some environment with shimmed node primitives.
A new alias --node
sets --no-browser-field
and --bare
.
The ‘process’ dependency was updated to ~0.11.0, this module is inserted into bundles as the ‘process’ global/dependency. Previously, an unhandled error thrown in a ‘process.nextTick’ task would prevent any subsequent tasks from running, forever. The task queue now recovers from this condition, but may do so on a future browser tick. As part of this update, ‘process.nextTick’ now accepts variadic arguments, passed to the task, added to io.js in 1.8.1.
- Escapes JavaScript-unsafe characters from JSON. #1211
- Removes ‘-v’ shortcut for ‘--version’ (conflicted with watchify) #1222
- Updated ‘defined’, ‘punycode’, ‘module-deps’, and ‘xtend’ dependencies to reduce install size #1230
makes .require({ expose: 'name' })
and require('name')
work at the same time
fixes an issue with catching error events on the b.bundle() stream
republishing 9.0.5 in an attempt to satisfy npm.
sets the stream returned by bundle() to be readable-only
handles the colon better for drive paths and improves the test suite for windows users
fixes a problem with deduping for json files.
This caused problems for running bundle() multiple times on the same instance with caching turned on, which people reported encountering using watchify.
fixes a bug where transforms in opts.transform
were getting run twice
fixes exposed files persisting across bundles
updates browser-pack which uses umd 3.0.0.
This sligtly changes how --standalone $name
works.
browserify/browser-pack#49 #1105
Also some tidying up around handling expose that module-deps can do now:
and some fixes to regressions involving the 'package'
event:
Upstream changes in resolve/browser-resolve mean that require('foo/bar')
works
better with the package.json browser field. You can do something like:
{
"browser": { "./bar": "whatever.js" }
}
uses / instead of \ for source map url separators on windows #1096
resolves mappings from the browser field for externals
fixes an issue with resolving exposed packages relative to the basedir
#1059 #1039 https://github.com/daiweilu/browserify-broken-require
use [email protected], which fixes a bug in assert.deepEqual related to argument ordering, and ensures assert.deepEqual continues working in Chrome 40 and Firefox 35.
use [email protected], which adds process.umask() and a faster process.nextTick() implementation.
passes opts.debug through to insert-module-globals so that is can insert inline source maps for its modifications
ensures that transforms always execute in the order they were added
fixes some file path leaks in deduped deps
In previous releases, the deduping logic was over-zealous about how it handled
module references for duplicates. The prior behavior would detect when the
dependency tree of a module matched an existing module in addition to having the
exact same source code to share an instance. This was originally designed to
support libraries like threejs that internally use instanceof
checks that
don't usually work very well across multiple packages. This feature didn't pan
out and didn't work very well in practice.
Later, a better way of deduping emerged after some unrelated tweaks to browser-pack to support source introspection for webworkers. The reflection form of deduping using implicit arguments is now the only kind.
The deduping instance feature resulted in this bug: #1027 which created very surprising results when duplicate files were in use.
uses the new [email protected], which passes node's own buffer test suite
allows modules to be bundled with local paths and exposed at the same time
fixes the global transform getting added each re-bundle
fixes rebundling (used by watchify) when transforming
also fixes #1015
Global transforms are now resolved to an absolute path before walking files. This fixes some bugs with local module versions taking precedence over global transforms and unresolvable global transforms spanning system directories.
This is a small breaking change since now transform objects live in the pipeline between the record and deps phases. This should only affect programs that expect records in the pipeline to only contain file objects.
fixes a bug setting placeholder filenames on stream inputs to be properly unique
fixes an issue with the expose property when opts.fullPaths is enabled
This issue commonly crops up in watchify.
updates regexps that test for absolute and relative paths to work better on windows
fixes ignoreTransform for the case where transforms were given in package.json as an array
uses noParse for better parity with module-deps
fixes #!shebang syntax when --bare is in effect by adding an unshebang phase to the pipeline
fixes the behavior for multiple external bundles
fixes a circular dependency issue with readable-stream
allows transforms to be ignored throughout the entire bundle
fixes a bug where module insert-module-globals would trigger too soon and conflict with other transforms
upgrades process to 0.8.0 #906
respects opts.expose in require() #907
resolves source map maths relative to the base url. This should help with more reproducible builds.
Version 6 is a tiny but breaking change to how source map paths work.
Now all source map paths are relative by default. This makes it easier to have deterministic debug builds across different systems and directories. If browserify is installed in a project-local directory, all the source map paths will be self-contained and relative against that location in node_modules.
bails early if opts.basedir is not the correct type #927
exposes global browserify options to transforms under opts._flags #910
fixes the array form of b.external() #930
dedupe deps when fullPaths is on #917 and fixes the crypto tests
adds back the array form for add() and require(), with extra places to add options
fixes ignore for relative paths in #896
fixes exports across resets, which caused issues for watchify with exports #892
adds an implicit dependency on the original module during dedupe #880
fixes the command-line client to properly ignore paths that don't match a glob #866
adds back support for .external(b)
on a browserify instance b
that was dropped on the v5 refactor
buffers the record pipeline phase to start outputting after the first tick so that user plugins can capture and modify recorder output
fixes a bug with using --ignore to exclude node_modules packages on the command-line
improves the detection for --ignore
fixes bug with builtins that load json files (the 'constants' module), new 'json' pipeline label
allow optional extensions in bin/args
re-instates transforms after a reset and fixes exposing the transform events properly
makes stream entry files deterministic
adds 'package' events from module-deps when a package.json file is read
adds back the 'bundle'
event and copies over options correctly to reset()
adds a note about derequire in standalone mode to the readme
fixes an error with basedir resolving plugins from names
also allows opts.plugin from the constructor like transform
passes .file
on stream inputs through to transforms
#744
sets require() for streams to not just be entry files
upgrades crypto-browserify to v3
updates --list to always print file paths
adds back .plugin()
which was mistakenly omitted
fixes using debug and standalone at the same time #750
fixes command-line versions of -u and -x #821
test for --bare
fix for detectGlobals, --bare #803
fixes --no-bundle-external with globals
upgrades insert-module-globals to fix #834
fixes the changelog link #835
adds an untracked test
At a glance:
- extensible internal labeled-stream-splicer pipeline
- bundle() - no longer accepts
opts
, callback gets a buffer - b.deps(), b.pack(), opts.pack, opts.deps are gone
- can call bundle() multiple times on the same instance
- a better --noparse matcher
- id labeling integer index based instead of hash based
- derequire removed for performance reasons
- .external(bundle) has been removed (for now)
- semicolon at end of output
- hashing is gone so
expose: true
or explicit expose id is required for doing multi-export bundles
Version 5 is a big rearranging of browserify internals with more places for external code to hook into the build pipeline.
These changes are mostly aligned around the theme of making it easier for external code to interface with browserify internals in a less hacky way.
Now the core of browserify is organized into a labeled-stream-splicer pipeline. This means that user code and plugins can hook into browserify by pushing themselves onto the pipeline at a label:
var browserify = require('browserify');
var through = require('through2');
var bundle = browserify();
bundle.pipeline.get('deps').push(through.obj(function (row, enc, next) {
console.log('DEP:', row.id);
this.push(row);
next();
}));
User code can remove existing transforms or add its own hooks. These are the
labeled sections you can get a handle on with bundle.pipeline.get()
'record'
- save inputs to play back later on subsequentbundle()
calls'deps'
- module-deps'unbom'
- remove byte-order markers'syntax'
- check for syntax errors'sort'
- sort the dependencies for deterministic bundles'dedupe'
- remove duplicate source contents'label'
- apply integer labels to files'emit-deps'
- emit'dep'
event'debug'
- apply source maps'pack'
- browser-pack'wrap'
- apply final wrapping,require=
and a newline and semicolon
Because there is now a proper pipeline, opts.pack
, opts.deps
, b.deps()
,
and b.pack()
are removed.
Big changes have been made to the bundle()
function. All options have been
moved out of the bundle(opts)
form and into the browserify constructor. Before
there was an unclear split between which arguments went into which function.
You can now call bundle()
multiple times on the same instance, even in
parallel. This will greatly simplify the caching system under watchify and will
fix many long-standing bugs.
The callback to bundle(cb)
is now called with cb(err, buf)
instead of
cb(err, string)
as before.
The former hashing system is removed, in favor of file paths rooted at the
opts.basedir
, or the cwd.
This removal means that browserify can be much more consistent about applying integer ids, which avoids exposing system paths in bundle output.
Hashes are used internally for deduping purposes, but they operate on the source content only.
The matching logic in the --noparse
feature is greatly improved.
derequire has been taken out of core, which should speed up --standalone
.
reverts 4.2.2 due to breaking some existing use-cases
fixes a bug applying transforms to symlinked files by resolving the realpath first #831
SECURITY NOTICE
Make sure your installation of browserify is using [email protected] or later. there was a security vulnerability where a malicious file could execute code when browserified.
The vulnerability involves breaking out of Function()
, which was used to
check syntax for more informative errors. In node 0.10, Function()
seems
to be implemented in terms of eval()
, so malicious code can execute even
if the function returned by Function()
was never called. node 0.11 does
not appear to be vulnerable.
Thanks to Cal Leeming [[email protected]] for discovering and disclosing this bug!
upgrades http-browserify, crypto-browserify, and sets more versions to float with ^ semvers
fixes a bug with transform argument handling #795
upgrades browser-resolve to get opts.path fixes browserify/browser-resolve#43
upgrades resolve to fix relative NODE_PATH paths browserify/resolve#46
bumps the module-deps version to get an ordering bugfix browserify/module-deps#39 #774
fixes ignoreMissing when set in the constructor #785
emits the 'id' event on the correct instance #780
added this document
fixes a bug in ie<=8
support for querystring #764
upgrades umd to fix some issues with --standalone #714
makes deps() behave more like bundle() #757 and fixes global transform precedence #759
upgrades the version of buffer to ^2.3.0
Here are the new breaking changes in browserify v4. Most users should be unaffected.
require('stream')
is now using readable-stream (but the classic-mode shim persists in stream-browserify just like in node core). This should result in much smaller files for all modules using a similar-enough version of readable-stream as browserify itself. Other modules should be relatively unaffected.
Removal of the previously-deprecated and obscure bundle.expose()
.
Previously if you invoked the browserify command without any entry files as arguments and stdin was a tty, stdin would be implicitly added as an entry file. This feature was causing problems so it has been removed. #724 (comment)
In the run-up to the 4.0, module-deps got an extensive rewrite with minimal test changes. Mostly it was just getting really messy because it was a giant ball-of-mud closure instead of a more straightforward prototype-based implementation with more clearly-defined methods.
The module-deps rewrite was triggered by system paths showing up in build output but was fixed in 3.46.1. The solution actually didn't end up needing changes in module-deps as originally anticipated but module-deps was in dire need of a cleanup.
fixes a bug exposing the host path of the process module in the bundle output browserify/insert-module-globals#32
allows array arguments in b.require(), b.add(), and b.external() #742 from @spacepluk
renders complete stack traces where before they were getting truncated #741 patch from @secoif
slims down the dependency payload by 20M #736
fixes the recursion error many people were getting #713 Thanks to @MattMcKegg for isolating the bug!
upgrades module-deps to 1.10.0 to make all the packageFilter dir argument pathways are consistent
lets b.transform(opts, t) args to be swapped around since opts is more common as a last argument
passes through the dir parameter in opts.packageFilter from module-deps 1.10.0 #731
has an option to disable external files, making it easier to run bundles in node for code coverage #672
makes --list work again #727
merges a patch for piping via stdin and --require at the same time #728
upgrades module-deps to fix --list for $NODE_PATH #726
upgrades module-deps to get this packageTransform bugfix browserify/module-deps#32
modifies the behavior of opts.builtins to be more useful and intuitive #717
adds a zlib that has parity with node #721
upgrades derequire which uses esprima-fb #710
adds 'close' events back to the bundle stream. This should fix some issues with watchify.
fixes a bug with through being required in the bin/cmd.js instead of through2
also reverts that require('process') thing which was mistakenly briefly put in the builtins list
gives streams2 semantics for bundle() #646
fixes a dumb bug with ^ for versions that don't work in old npm clients
adds require('process') and removes the path resolution for process out of insert-module-globals
adds an empty tls stub to the builtins list #703
fixes a bug with transforms not being applied in deps() #708
fixes a bug with options in --global-transform on the command-line #705
fixes parsing errors while maintaining es6 support by switching to esprima-fb #698
should be easier to shinkwrap and install on windows #684
adds --full-path and opts.fullPath to always expand ids to full paths #668 (comment)
fixes a bug in the subarg argument parsing for multiple transforms #678
uses process.cwd() as the default rebase target instead of commondir #669 (comment)
merges #669 which should help with more deterministic builds across systems
fixes parsing the --insert-global-vars argument properly #674
fixes exclude globbing in the arg parser #676
included a fix for --no-builtins for non-wrapped modules #666
upgrades buffer for a utf8 fix #656
adds globs for -u, -i, and -x #654
adds relatively-resolved paths to ignored and excluded files
upgrades http-browserify to 1.3.1
now always includes the full package.json content in the 'package' event
fixes a bug with stream entry order #643
adds plugins for doing super fancy things like factored bundle output https://github.com/substack/node-browserify#plugins
fixes a bug resolving transform modules when browserify is under a symlink
adds transform configuration in the package.json browserify.transform field https://github.com/substack/module-deps#packagejson-transformkey
you can pass arguments to transforms https://github.com/substack/node-browserify/blob/master/bin/advanced.txt#L67-L77
fixes a bug where the transform event didn't fire while IO was pending
fixes the transform docs
adds 'bundle' and 'transform' events https://github.com/substack/node-browserify#bonbundle-function-bundle-
upgrades derequire to 0.6.0. That should be the last piece needed for full es6 syntax support.
expands the documentation for the package.json browser and browserify.transform fields https://github.com/substack/node-browserify#packagejson
fixes generator syntax and other es6-isms in browserify #614
fixes noParse, which had accidentally been disabled in the insert-module-global changes and also closes #504
similar to 3.24.5, 3.24.6 fixes some error reporting propagation from the browserify command
fixes how require('buffer').Buffer wasn't the same as implicit Buffer #612
fixes where the output stream didn't emit "close" in standalone mode #608
fixes an issue where --standalone combined with expose caused a syntax error #489
removes require() calls from --standalone so you can require() a standalone bundle again
merges this tiny fix returning this
in noParse() #592
merges #587 which changes the source map prefix from //@ to //#
standardizes the module missing error formats to have filename, parent, and type === 'not found' fields
has a fix for the case where stdin is implicitly treated as the input stream instead of a file
3.20.0 is out: parity with how $NODE_PATH works in node #593
restores support for node 0.8 by upgrading concat-stream
A new browserify version is upon us, just in time for the FESTIVE SEASON during which we in the northern hemisphere at mid to high latitudes huddle for warmth around oxidizing hydrocarbons!
There are 2 big changes in v3 but most code should be relatively unaffected.
feross forked
the buffer-browserify package
to create
native-buffer-browserify,
a Buffer
implementation that uses Uint8Array
to get buf[i]
notation and
parity with the node core Buffer
api without the performance hit of the
previous implementation and a much smaller file size. The downside is that
Buffer
now only works in browsers with Uint8Array
and DataView
support.
All the other modules should maintain existing browser support.
Update: a shim was added
to in 3.1 for Uint8Array and DataView support. Now you can use Buffer
in every
browser.
In v3, browserify no longer depends on
browser-builtins, in favor of
depending on packages directly. Instead of having some separate packages and
some files in a builtin/
directory like browser-builtins, browserify now uses
only external packages for the shims it uses. By only using external packages
we can keep browserify core focused purely on the static analysis and bundling
machinery while letting the individual packages worry about things like browser
compatibility and parity with the node core API as it evolves.
Individual, tiny packages should also be much easier for newcomers to contribute packages toward because they won't need to get up to speed with all the other pieces going on and the packages can have their own tests and documentation. Additionally, each package may find uses in other projects beside browserify more easily and if people want variations on the versions of shims that ship with browserify core this is easier to do when everything is separate.
Back when we were using browser-builtins there was a large latency between pushing out fixes to the individual packages and getting them into browserify core because we had to wait on browser-builtins to upgrade the semvers in its package.json. With direct dependencies we get much lower latency for package upgrades and much more granular control over upgrading packages.
Here is the list of packages we now directly depend on in v3:
- assert
- buffer
- console
- constants
- crypto
- events
- http
- https
- os
- path
- punycode
- querystring
- stream
- string_decoder
- timers
- tty
- url
- util
- vm
- zlib
That's it! If you're bold enough to give v3 a spin, just do:
npm install -g browserify