Tsup version 2.0.1 is a minimal patch release that arrives shortly after the 2.0.0 version, refining the developer experience for those leveraging this zero-config TypeScript bundler. Both versions retain the core promise of simplifying the process of bundling TypeScript libraries, leaning on Rollup under the hood. They share the same dependencies, including tslib for runtime helpers, joycon for configuration file handling, and crucial Rollup plugins like rollup-plugin-dts for generating declaration files and rollup-plugin-typescript2 for TypeScript compilation.
The development dependencies also remain consistent, featuring tools like jest for testing, prettier for code formatting, and various @rollup/plugin-* packages for handling JSON, CommonJS, and Node resolution within the Rollup build process. While on the surface, the difference appears negligible, reflected in a small increase in unpacked size from 342733 to 344737 bytes, the 2.0.1 release likely addresses minor bug fixes or internal improvements rather than introducing new features. The upgrade from tsup@1.5.1 to tsup@2.0.0 as a dev dependency in the newer release signifies a progressive internal adoption of the tooling itself. For developers, migrating to 2.0.1 ensures they're benefiting from the latest stability improvements and refinements, building on the solid foundation of zero-config TypeScript bundling that Tsup offers. The bump ensures that the latest bug fixes are included.
All the vulnerabilities related to the version 2.0.1 of the package
tsup DOM Clobbering vulnerability
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
