Feature: Add @10up/build - esbuild-powered WordPress build tool

[fabiankaegy]

Note

This is just an exploration I did to see how well this would actually work because I got fed up with the speed of CI builds. WordPress Core / Gutenberg recently switched over to an esbuild powered build system so this draws inspiration from that. Realistically RSPack is probably a safer easier option but I wanted to try this.

Introduces a new build package that provides fast WordPress block and asset compilation using esbuild, designed as a drop-in replacement for 10up-toolkit's webpack-based build system.

Features:

• 10-100x faster builds than webpack with esbuild core
• Full WordPress dependency extraction (.asset.php generation)
• Support for ES Modules (viewScriptModule) and IIFE output formats
• PostCSS + lightningcss CSS pipeline with SCSS/SASS support
• Automatic block.json asset detection and transformation
• Custom external namespace support (@woocommerce/, @my-plugin/, etc.)
• React Fast Refresh for development with HMR
• Compatible with existing 10up-toolkit configuration schema

CLI commands:

• 10up-build build - Production build
• 10up-build start - Watch mode with Fast Refresh server

Configuration:

• Reads from package.json["10up-toolkit"] field
• Supports paths.blocksDir, paths.distDir, paths.globalStylesDir, paths.globalMixinsDir
• Supports entry, moduleEntry, externalNamespaces options
• Respects postcss.config.js for custom PostCSS configuration

Test coverage:

• 76 tests covering config loading, entry detection, externals handling, block.json transformation, dependency extraction, and full build integration
• Test fixtures for basic projects, block projects, and PostCSS configuration

[changeset-bot]

⚠️ No Changeset found

Latest commit: 481ab35

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

In general, the fix is to remove or adjust any String.prototype.replace (or similar) calls where the pattern and replacement yield the same string, unless there is a very explicit and documented reason to keep them. Here, the second .replace(/\.js$/, '.js') is redundant: after the first replace(/\.tsx?$/, '.js'), all .ts/.tsx suffixes are already .js, and existing .js files require no further modification. The best fix that preserves behavior is to delete the no-op replace call and keep only the TypeScript-to-JavaScript conversion.

Concretely, in packages/build/src/plugins/block-json.ts, within transformTSAsset, change the transform function so that the return statement on line 44 becomes a single replace(/\.tsx?$/, '.js') call. No additional imports or helper methods are needed; we are only simplifying the existing expression.

[fabiankaegy]

this is for .jsx imports

In general, to fix this class of issue, avoid constructing a single shell command string from untrusted data and passing it to exec/execSync. Instead, call the program directly with execFile/execFileSync or spawn/spawnSync, passing arguments as an array so they are not interpreted by a shell. If you must use a shell (e.g., to use pipes or redirection), then escape any untrusted values (e.g., with shell-quote) before embedding them.

Here, we can safely replace the string-based execSync(installCmd, ...) with an argument-array invocation of npm. The command being run is simple (npm install --save-optional ...packages...), with no pipes or redirections, so we do not need a shell at all. We will:

• Build an array of arguments for npm: ['install', '--save-optional', ...toInstall.map(p => ${p}@${tag})].
• Replace the installCmd string with this args array.
• Replace execSync(installCmd, { ... }) with execSync('npm', { cwd: installDir, stdio: 'inherit', args: installArgs }) or, more idiomatically, switch from execSync to spawnSync from child_process, which is designed for this pattern.

Because we are constrained to only add imports of well-known libraries and not alter unrelated code, the minimal and clear fix is to import spawnSync from child_process in wp-deps.ts, leave execSync for any other existing uses, and then switch this particular call to use spawnSync('npm', installArgs, { cwd: installDir, stdio: 'inherit' }). spawnSync takes the command and argument array directly, avoiding any shell interpretation of tag or package names, while preserving all existing functionality and behavior (same cwd, same stdio, same success/failure semantics).

Concretely in packages/build/src/wp-deps.ts:

• Update the import from child_process to also import spawnSync.
• Replace the installCmd string with an installArgs array, preserving the same package/tag concatenation.
• Replace the try block to use spawnSync('npm', installArgs, { cwd: installDir, stdio: 'inherit' }) and explicitly check result.status !== 0 to throw the same error message if npm fails.

No changes are required in cli.ts.

In general, to fix this issue we should avoid passing a single concatenated string to execSync and instead use an API that accepts the executable and its arguments as an array (for example child_process.execFileSync or child_process.spawnSync). This prevents the shell from interpreting special characters in user-controlled input, because the command is invoked directly without an intervening shell.

The best targeted fix here is to keep the behavior of running npm install --save-optional ... in the same working directory with inherited stdio, but refactor the command to use execFileSync('npm', args, options) instead of execSync(installCmd, options). We already have the list of package specifiers as an array (packages), so we can build the argument array as ['install', '--save-optional', ...packages]. Then invoke execFileSync with those arguments. This preserves all existing behavior (same tool, same flags, same packages, same cwd and stdio) while removing the shell injection vector.

Concretely, in packages/build/src/wp-deps.ts within updateWpDeps:

• Add execFileSync to the existing import from child_process.
• Replace the string installCmd and the execSync(installCmd, ...) call with an installArgs array and execFileSync('npm', installArgs, { cwd, stdio: 'inherit' }).

No changes are needed in cli.ts for this issue, and no validation of tag is strictly required once we are no longer going through a shell.

To fix the problem, avoid running a shell with a single concatenated command line and instead invoke npm directly with execFileSync (or spawnSync) and an array of arguments. This removes shell parsing from the equation, so even if tag or a package name contains spaces or shell metacharacters, they are treated as plain arguments rather than part of a shell command.

Concretely, in packages/build/src/wp-deps.ts, we should:

1. Import execFileSync from child_process alongside the existing execSync import (keeping execSync if it is used elsewhere in unseen code).
2. Replace the construction of installCmd as a single string with a construction of an args array: ['install', '--save-optional', ...toInstall.map(p => ${p}@${tag})].
3. Replace execSync(installCmd, { ... }) with execFileSync('npm', args, { cwd: installDir, stdio: 'inherit' }).

This preserves existing behavior (same npm install --save-optional <pkgs> invocation in the same directory, same output handling) while eliminating the uncontrolled command line.

All required functionality is provided by Node’s standard library; no external packages are needed.