-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of eval is strongly discouraged #1754
Comments
+1 |
|
Getting these errors during a Vite build:
|
It's not entirely clear why this is needed at all? |
Hi Protobufjs team! |
Same goes for Chrome Extensions using Manifest V3 - where it's also forbidden to use eval |
☝🏽 absolutely, had to patch to run on MV3. |
This is a huge issue for us as the page we are integrating into forbids |
same here |
I give it a try, more tests are needed. |
I use this patch-package file: patches/protobufjs+7.2.5.patchdiff --git a/node_modules/protobufjs/dist/light/protobuf.js b/node_modules/protobufjs/dist/light/protobuf.js
index 5727c45..3004e3d 100644
--- a/node_modules/protobufjs/dist/light/protobuf.js
+++ b/node_modules/protobufjs/dist/light/protobuf.js
@@ -876,6 +876,10 @@ module.exports = inquire;
* @returns {?Object} Required module if available and not empty, otherwise `null`
*/
function inquire(moduleName) {
+ // Don't use eval with CSP in a browser: https://github.com/protobufjs/protobuf.js/pull/1548
+ if (typeof document !== "undefined") {
+ return null;
+ }
try {
var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
if (mod && (mod.length || Object.keys(mod).length))
diff --git a/node_modules/protobufjs/dist/minimal/protobuf.js b/node_modules/protobufjs/dist/minimal/protobuf.js
index 87e6f55..d5e2d9e 100644
--- a/node_modules/protobufjs/dist/minimal/protobuf.js
+++ b/node_modules/protobufjs/dist/minimal/protobuf.js
@@ -658,6 +658,10 @@ module.exports = inquire;
* @returns {?Object} Required module if available and not empty, otherwise `null`
*/
function inquire(moduleName) {
+ // Don't use eval with CSP in a browser: https://github.com/protobufjs/protobuf.js/pull/1548
+ if (typeof document !== "undefined") {
+ return null;
+ }
try {
var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
if (mod && (mod.length || Object.keys(mod).length))
diff --git a/node_modules/protobufjs/dist/protobuf.js b/node_modules/protobufjs/dist/protobuf.js
index cda26c5..012e2f5 100644
--- a/node_modules/protobufjs/dist/protobuf.js
+++ b/node_modules/protobufjs/dist/protobuf.js
@@ -876,6 +876,10 @@ module.exports = inquire;
* @returns {?Object} Required module if available and not empty, otherwise `null`
*/
function inquire(moduleName) {
+ // Don't use eval with CSP in a browser: https://github.com/protobufjs/protobuf.js/pull/1548
+ if (typeof document !== "undefined") {
+ return null;
+ }
try {
var mod = eval("quire".replace(/^/,"re"))(moduleName); // eslint-disable-line no-eval
if (mod && (mod.length || Object.keys(mod).length))
diff --git a/node_modules/protobufjs/src/util.js b/node_modules/protobufjs/src/util.js
index 6c50899..bd9a61d 100644
--- a/node_modules/protobufjs/src/util.js
+++ b/node_modules/protobufjs/src/util.js
@@ -199,6 +199,7 @@ util.setProperty = function setProperty(dst, path, value) {
return setProp(dst, path, value);
};
+if (!util.hasOwnProperty("decorateRoot")){
/**
* Decorator root (TypeScript).
* @name util.decorateRoot
@@ -210,3 +211,4 @@ Object.defineProperty(util, "decorateRoot", {
return roots["decorated"] || (roots["decorated"] = new (require("./root"))());
}
});
+} The |
To try to move forward with this and close the Content Security Policy threads like #997, could some maintainer explain what problem the usage of ❓ Maybe the problem is no longer relevant? By doing some archeology, it seems that Note that webpack 5 (released Nov 2020) has broke compat on this, and longer automagically ships nodejs polyfills. So if that's the only reason, I'd suggest to cut a major version of protobufjs (8.0), and remove the usage of |
Any updates? This completely breaks packaging ESM package because |
I also got the problem while using @opentelemetry/exporter-trace-otlp-proto so I switch to @opentelemetry/exporter-trace-otlp-http. Less performant, but more secure at least... |
I am also seeing this warning when building with vite, any updates? |
protobuf.js version: 6.10.2
https://rollupjs.org/guide/en/#avoiding-eval
node_modules/@protobufjs/inquire/index.js
The text was updated successfully, but these errors were encountered: