Remove dependency from jQuery for modules random and util #430
Conversation
|
This LGTM, @davidlehn are you ok with removing |
|
I don't think we can assume |
|
I did some digging and found the historical initial I do agree that we probably shouldn't just remove it now since it's slightly possible someone else is using it. I've got no issues marking that as a thing to get rid of or move into an extra lib in the next major breakage version. There's probably much more we can also make optional too since these days things like that are of little use to the primary crypto code that people use forge for. Does using jQuery actually cause trouble with webpack et al and webworkers, or is this just a guess? I thought some of those had special support to handle such globals. It'd be nice if we could hold off until the next major release but maybe we can find a workaround if it's a problem now. Maybe it's possible to use a variation of that wizardry global code to try and get jQuery vs using it direct. Would that fix bundler issues? Something like: var _jQuery;
(function(global) { _jQuery = global.jQuery; })((0, eval)('this'));
util.makeLink = function(...) {if(_jQuery) { ... _jQuery.isArray(...) ... }};I'm unsure of how correct or portable that is, but it might avoid the bundler issues without special configuration? |
js/random.js
Outdated
| // add mouse and keyboard collectors if jquery is available | ||
| if(jQuery) { | ||
| // if we are in the browser, use keyboard and mouse to gather entropy | ||
| if (global.document && global.document.addEventListener) { |
There was a problem hiding this comment.
Style issue, remove space after if.
|
Maybe the workaround can be even simpler. If we declare a var jQuery = (function(g) { return g.jQuery; })((0, eval)('this'));By the way, using jQuery in Forge can actually cause trouble if the crypto is done in a worker, because jQuery cannot be loaded in the context of a worker. It's a common configuration for WebPack to automatically add a dependency on jQuery when there are the unbound identifiers In the case of Forge, jQuery is just an optional, so there's no reason for it to have such a dependency. |
|
@davidlehn, did #456 address this in any way? |
|
What test can we run to see if it fails? The webpack and browserify testing seems to be working with the new code so maybe this problem resolved itself? That being said, the makeLink function and others in util.js should perhaps be considered for deprecation, removal, or being moved to some extras file. |
I ended up here because my website uses a Content Security Policy And I got an error report that one of the libraries in my bundle was trying to make an unauthorized eval. I also got highly suspicious when I saw the global jQuery references in the code. I think you should at least clarify in the README that jQuery is an optional dependency an that eval is being used. |
|
Sorry, this got auto-closed due to branch rename. Reopen if you want. Will address in #937. |
5 participants
Hi,
This pull request removes the "dependency" from jQuery for modules
randomandutil.Although jQuery is not an actual dependency, the presence of the unbound identifier
jQueryin the code may confuse some bundlers like WebPack to think that Forge depends on jQuery, causing some troubles if Forge is used in a context where jQuery can't be loaded, such as a WebWorker.I reworked only the modules
randomandutilsince they are the only ones referencing jQuery included in the default bundle.Also, I completely removed the function
util.makeLinksince it appears to be dead code. All the tests pass, so maybe it's safe to remove.