eval not allowed in Middleware pages/foo/_middleware
#30674
Comments
|
Also, seems to me that this warning only happens once after the server starts (or restarts due to any code change) and when I first enter a url that the middleware runs... If I refresh the same url, then the warning doesn't seem to appear again |
|
According to the docs, You can check the docs' example here |
|
@gustavo-dev thanks for the explanation... so From my (very shallow) understanding of middlewares, they can be deployed as edge functions (which is an infra structure and concept provided by vercel... I think? 😂 ), but you don't necessarily need to... So all edge functions are middlewares, but are all middlewares edge functions? 🤔 |
|
I think you're mixing the concepts a little bit. Edge Functions are similar to CDN's (but different). A CDN (Content Delivery Network) is used to serve static content in a fast way. Therefore they need to be located close to the client. The downside with this approach is the inability to deliver custom content to different clients based on their location, for example. Another method that could solve this would be processing each request on the server (SSR). However, the drawback now is speed because the server handling these requests is not necessarily close to your end-user. That's where Edge Functions come in! They work just like a CDN but they allow you to run server-side logic on the Edge, close to your client, which enables us to achieve both speed and dynamism. A middleware, on the other hand, is a function that runs before a request is completed. If you've used ExpressJs before, you should be familiar with this concept. They can modify the request/response objects and are useful for authentication, among other things. Hence, Middlewares are not necessarily Edge Functions and Edge Functions are not necessarily Middlewares. However, when deploying to Vercel, Middleware is the only code that runs in Edge Functions. Here are a few links regarding these concepts if you want: |
|
Ok, but my point is, Middlewares are not necessarily Edge functions, and Doesn't that mean that if I use |
|
Sure, if you use |
|
And they do work, but now my terminal gets a ton of warnings because of something that I won't even be using... That makes debugging a bit harder unfortunately :/ Also since I'll wait for someone from the core team to share their opinion here, to know if this is intended or not. |
|
Running Javascript code at the edge is very sensitive and providers are very conservative and ban certain APIs. Among many reasons there is speed or being able to optimize code by statically analyzing it. The explanation from @gustavo-dev was great and indeed, you can use Next.js middleware with In order to help people don't get into this situation, we are showing a warning in Next.js if we detect you are dynamically evaluating code. This warning will show up when the code is parsed. Note that currently in development there is no tree-shaking, so (at the time of writing this comment) it is possible that you get a warning about using eval in code that is required by the middleware but that will not make it to production since it may be removed on build thanks to tree-shaking. |
Co-authored-by: Tobias Koppers <sokra@users.noreply.github.com> With this PR we are updating the way we check the usage of `eval` and other dynamic code evaluation (like `new Function`) for middleware. Now instead of simply showing a warning it will behave differently depending on if we are building or in development. - Development: we replace the dynamic code with a wrapper so that we print a warning only when the code is used. We don't fail in this scenario as it is possible that once the application is built the code that uses `eval` is left out. - Build: we detect with tree shaking if the code that will be bundled into the middleware includes any dynamic code and in such scenario we make the build fail as don't want to allow it for the production environment. Closes #30674 ## Bug - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Errors have helpful link attached, see `contributing.md` ## Feature - [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Documentation added - [ ] Telemetry added. In case of a feature if it's used or not. - [ ] Errors have helpful link attached, see `contributing.md` ## Documentation / Examples - [ ] Make sure the linting passes by running `yarn lint`
|
Not sure about this one, but I'm facing the same error. I have looked deep into the code and I didn't find an eval statement in there. The complain I'm getting come from common supportive libraries like for example lodash.isplainObject. @javivelasco What do you mean by
What does detect mean here? So it isn't just the eval() statement and more things can be consider dynamic? If so, could the team be kind and expand this definition of dynamic so we can trace and eventually fix the error. |
|
No worries. I think I found it. I have almost an exact match from the failure libraries of @javivelasco. This is dyanmic evaluation without using eval from the var $Function = Function;
var getEvalledConstructor = function (expressionSyntax) {
try {
return $Function('"use strict"; return (' + expressionSyntax + ').constructor;')();
} catch (e) {}
};Maybe the docs in Next might expand this definition of no eval(). |
|
Yeah sorry about that. It's not only |
I tried your solution, but console still shown that error. Really not understand why, function still run and show result... |
|
@IRediTOTO Are you importing import jwt from '@tsndr/cloudflare-worker-jwt'
//... |
|
@gustavo-dev yes sure, maybe it come from my nextjs setup, something run when middle where run. Func still run fine, just show the warning. Actually I can use jose package in it. |
|
Hey there, one thing I do not understand is where inside the readable-stream package is there any use of eval? I have been looking through the code and couldn't find any reference to it. See: https://github.com/nodejs/readable-stream/blob/v3.6.0/lib/_stream_writable.js which is the one used when building middleware. Thanks! |
|
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Co-authored-by: Tobias Koppers <sokra@users.noreply.github.com> With this PR we are updating the way we check the usage of `eval` and other dynamic code evaluation (like `new Function`) for middleware. Now instead of simply showing a warning it will behave differently depending on if we are building or in development. - Development: we replace the dynamic code with a wrapper so that we print a warning only when the code is used. We don't fail in this scenario as it is possible that once the application is built the code that uses `eval` is left out. - Build: we detect with tree shaking if the code that will be bundled into the middleware includes any dynamic code and in such scenario we make the build fail as don't want to allow it for the production environment. Closes vercel#30674 ## Bug - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Errors have helpful link attached, see `contributing.md` ## Feature - [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR. - [ ] Related issues linked using `fixes #number` - [ ] Integration tests added - [ ] Documentation added - [ ] Telemetry added. In case of a feature if it's used or not. - [ ] Errors have helpful link attached, see `contributing.md` ## Documentation / Examples - [ ] Make sure the linting passes by running `yarn lint`
What version of Next.js are you using?
12.0.1
What version of Node.js are you using?
14.17.6
What browser are you using?
Chrome
What operating system are you using?
macOS
How are you deploying your application?
not deployed, tested on localhost
Describe the Bug
Whenever I try to use the module
jsonwebtokeninside a middleware, I got the following warnings on the console:Expected Behavior
The app still works just fine, but I believe this warning shouldn't happen, considering that this module can be used on both front and back end side of my app.
Btw, I haven't done much with middlewares, so I was only able to reproduce this issue only with this specific npm module. If I notice that importing any other module logs the same warning I'll update the issue here.
To Reproduce
you can try it on this repository: https://github.com/mauriciosoares/middlwares-and-rewrites/tree/eval-not-allowed-in-middleware, using the branch
eval-not-allowed-in-middleware.To reproduce it you just need to access the url
http://localhost:3000/foo/bar, and the warning should appear on the console.The text was updated successfully, but these errors were encountered: