Skip to content

build: Update swc_core to v73.0.0#645

Merged
kdy1 merged 7 commits into
mainfrom
kdy1/bump
Jul 13, 2026
Merged

build: Update swc_core to v73.0.0#645
kdy1 merged 7 commits into
mainfrom
kdy1/bump

Conversation

@kdy1

@kdy1 kdy1 commented Jul 13, 2026

Copy link
Copy Markdown
Member

No description provided.

kdy1 added 6 commits July 13, 2026 16:08
Releases:
  @swc/plugin-react-remove-properties@12.16.0
  @swc/plugin-styled-components@12.16.0
  @swc/plugin-transform-imports@12.16.0
  @swc/plugin-swc-confidential@11.16.0
  @swc-contrib/mut-cjs-exports@14.16.0
  @swc/plugin-remove-console@12.16.0
  @swc/plugin-experimental-feature-flags@0.15.0
  @swc/plugin-styled-jsx@13.16.0
  @swc/plugin-swc-magic@12.16.0
  @swc/plugin-formatjs@9.16.0
  @swc/plugin-prefresh@12.16.0
  @swc/plugin-emotion@14.16.0
  @swc/plugin-swc-sdk@12.16.0
  @swc/plugin-relay@12.16.0
  @swc-contrib/plugin-graphql-codegen-client-preset@0.28.0
  @swc/plugin-jest@12.16.0
  @swc/plugin-loadable-components@11.16.0
  @swc/plugin-noop@12.16.0

[skip ci]
@kdy1 kdy1 enabled auto-merge (squash) July 13, 2026 07:15
@changeset-bot

changeset-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: f090dc5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@claude

claude Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review — PR #645: build: Update swc_core (v72 → v73)

This is an automated release PR (changeset + version-bump tooling) that upgrades swc_core to v73.0.0, bumps the transitive swc_ecma_* crates, and rolls the corresponding package/crate versions and changelogs. Mostly mechanical, so the review focused on consistency and the one substantive dependency change.

✅ What checks out

  • Version consistency: every changed package.json version matches the top entry of its CHANGELOG.md (verified all 18 packages/contrib crates).
  • Lockfile in sync: Cargo.lock resolves swc_core = 73.0.0 and swc_ecma_transforms = 58.0.0; no leftover 72.0.0 references remain in any Cargo.toml.
  • Path-dependency versions (transform sub-crates → 13.0.0, etc.) are bumped in lockstep with the crates they point to.
  • Changelog/README entries are consistent with the changeset b7be81b.

🔎 Worth a second look

  • swc_ecma_transforms is a major bump (57 → 58), while the changeset message only mentions swc_core v73. Major bumps of the underlying transform crates can carry breaking API changes, yet this PR contains no source adaptations — the plugins compile against the new API unchanged. That's plausible if none of the affected APIs are used, but it makes green CI the real gate here. Please confirm the Test and Integration Test jobs pass before merging (they're pending as of this review).
  • Changeset scope: the description credits only swc_core, though swc_ecma_transforms (major) and swc_ecma_minifier (57.0.0 → 57.0.1) also moved. Purely informational — the changelog would be marginally more accurate if it mentioned the transforms major bump, since that's the change most likely to affect behavior.

Minor / non-blocking

  • swc-confidential bumps its CHANGELOG.md and package.json but (unlike the other packages) has no README changelog append. Looks intentional (its README doesn't embed the changelog), just noting the asymmetry.

Test coverage

No new tests are expected for a version bump; the existing snapshot/integration suites are the safety net. Given the major transform-crate bump, the existing integration tests passing is the key signal — no additional coverage needed beyond confirming CI is green.

Overall: clean, internally consistent release PR. No code-quality, security, or performance concerns. Recommend merging once CI (Test / Integration Test) goes green, given the underlying swc_ecma_transforms major bump ships with no source changes.

@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: cargo libc is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/swc_core@0.75.33cargo/lightningcss@1.0.0-alpha.71cargo/swc_atoms@9.0.3cargo/swc_common@23.0.2cargo/swc_ecma_codegen@28.0.2cargo/preset_env_base@8.0.1cargo/swc_ecma_parser@41.1.2cargo/swc_ecma_utils@31.0.2cargo/swc_ecma_transforms_react@51.0.0cargo/swc_ecma_transforms_testing@49.0.0cargo/swc_core@73.0.0cargo/sha1@0.10.7cargo/swc_ecma_minifier@57.0.1cargo/sha2@0.10.9cargo/sha2@0.9.9cargo/magic-crypt@3.1.13cargo/similar-asserts@1.7.0cargo/swc_cached@2.0.0cargo/libc@0.2.186

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/libc@0.2.186. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo writeable is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/swc_sourcemap@10.0.2cargo/swc_common@23.0.2cargo/writeable@0.6.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/writeable@0.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo zerocopy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/lightningcss@1.0.0-alpha.71cargo/swc_atoms@9.0.3cargo/swc_ecma_codegen@28.0.2cargo/preset_env_base@8.0.1cargo/swc_ecma_transforms_react@51.0.0cargo/swc_core@73.0.0cargo/swc_ecma_minifier@57.0.1cargo/swc_cached@2.0.0cargo/zerocopy@0.8.54

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/zerocopy@0.8.54. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@claude

claude Bot commented Jul 13, 2026

Copy link
Copy Markdown

PR Review — build: Update swc_core to v73.0.0

Reviewed the full diff. This is a mechanical dependency bump + automated release, and it looks clean and internally consistent. 👍

Summary of changes

  • Cargo.toml: swc_core 72.0.073.0.0, plus the transitive workspace deps that move with it:
    • swc_ecma_transforms 57.0.058.0.0 (major)
    • swc_ecma_minifier 57.0.057.0.1 (patch)
    • swc_icu_messageformat_parser (internal crate) 31.0.032.0.0
  • Per-package Cargo.toml/package.json version bumps + CHANGELOG.md/README.md entries for the 18 released packages, and the regenerated Cargo.lock.

Behavioral changes worth a second look

The only non-generated, behavior-carrying changes are the three styled-jsx output.lightningcss.js fixtures. They all reflect the new upstream CSS codegen inserting spaces after commas / around tokens in serialized values:

  • linear-gradient(to right,${c1},${c2})linear-gradient(to right, ${c1}, ${c2})
  • translate3d(0,${x}px,-${d}px)scale(1)translate3d(0, ${x}px, -${d}px) scale(1)
  • content:attr(data-text)/""content:attr(data-text) / ""

These are cosmetic serialization changes from the updated swc_css/lightningcss and appear correct (output stays semantically equivalent CSS). Two things to confirm:

  1. Only the .lightningcss.js outputs changed — the non-lightningcss fixture outputs weren't regenerated. Please double-check that's expected (i.e. the whitespace change is specific to the lightningcss serialization path) and not a case of a fixture that should have updated but didn't.
  2. Since the extra whitespace slightly increases emitted CSS size, worth a sanity check that it doesn't affect any minification/size expectations downstream — almost certainly fine, just noting it.

Other notes

  • No source logic changes, so no new test coverage is needed — the fixture updates are the right verification surface for this bump.
  • No security or performance concerns; version bumps only.
  • Version numbers across Cargo.toml/package.json/changelogs are consistent with the release commit.

Assuming CI (build + fixture tests) is green, this looks good to merge.

@kdy1 kdy1 merged commit 3354cd5 into main Jul 13, 2026
11 checks passed
@kdy1 kdy1 deleted the kdy1/bump branch July 13, 2026 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant