Open Abdel-Monaam-Aouini opened 1 year ago
This was flagged up in my Svelte build V3.
If this is not going to change, would be good to have an explanation as to why this is not considered a security risk.
I am also getting this same in my Vite/Vue 3 build. Would love an explanation or a fix.
I am also having this issue in a Vite/React build that is deploying to Netlify. Any help would be appreciated!
Getting the same issue on vite build
, when trying to run on Amplify -> Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.
Hello everyone, Same issue.
Hello everyone, Same issue with highlight.js/lib/languages/wren.js
Same issue with React/Vite4 build on local machine
I'm using the solution found here: https://github.com/airbnb/lottie-web/issues/289
Replacing import lottie from "lottie-web";
with import lottie from "lottie-web/build/player/lottie_light";
and using renderer: "svg"
, worked for me.
Edit: no I am not, the SVG renderer is acting weird.
Hi don't know if it is relevant manage to change 'ExpressionManager.js' so you can pass a function instead of passing function in string, and run the function instead of eval, demo: https://stackblitz.com/edit/typescript-xm1gpw?file=lottie.ts
npm package with the change: @sentinel-one/lottie-web-no-eval
Any updates on this?
I'm also interested in a solution to this.
Fix this please.
any updates??
I am curious if @bodymovin or anyone else in the Airbnb/Lottie community could help shed some light on what's going on here.
Lottie is a great tool that enables some delightful animations that are dififcult for any other tool to match, but it looks like it's suffering from some serious neglect as of late. I'm frankly a bit discouraged by the 40+ open pull requests that have been sitting for months, some of them as simple as fixing a typo.
Are the maintainers interested in fixing this issue and it's just a matter of prioritization? Or have the maintainers moved on and even if a fix were to be available, no one would have the bandwidth to review and merge it?
I'm bringing this up as a B2B app with an obligation to review flagged security issues in my software bill of materials. To have an issue like this open for 10 months with no official word on what's going on is concerning.
I'm happy to help and do my part - I or someone on my team can look into reorganizing the code to not depend on eval, but I don't want to spend the time if it'll just result in one more on the stack of open PRs in this project.
same issue here, any updates?
up
Same issue in my sveltekit app "svelte": "^3.54.0", "lottie-svelte": "^1.3.5"
Looks like an active issue. bumping in for the updates
Same same
Same for us - seems like a major security risk regarding 1.7m weekly downloads?!
Same issue on Vite/React build that I am deploying to Netlify.
Same:
node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.
using Quasar/Vue.js/Vite with vue3-lottie which depends on lottie-web version 5.12.2
same issue on vite/vue-ts
Same issue
Seeing the same issue here with a vite/react build
Replacing the line in /build/player/lottie.js fixes it:
var expression_function = eval('[function _expression_function(){' + val + ';scoped_bm_rt=$bm_rt}]')[0];
with
var expression_function = (new Function('scoped_bm_rt', val + ';return $bm_rt;'))();
Apparently the supported way to work around this is by importing directly from a Lottie-light file:
Replacing
import lottie from "lottie-web";
withimport lottie from "lottie-web/build/player/lottie_light";
and usingrenderer: "svg"
, worked for me.
Same issue on vite build
Haven't it been resolved yet
+1
+1
Yep same problem with vite 4.1.1
Switching to lottie-light causes issues with color transitioning/rendering for us.
+1
same here
Same here
I got a workaround by adding these configs to my compiler options in tsconfig.json
"compilerOptions": {
"moduleResolution": "node",
"resolveJsonModule": true,
},
I got a workaround by adding these configs to my compiler options in
tsconfig.json
"compilerOptions": { "moduleResolution": "node", "resolveJsonModule": true, },
Could you elaborate how this helps? Does this suppress the error or solve/work around the issue?
Same issue here. Vite as bundler.
"name": "three-stdlib", "version": "2.29.11",
I have exact same issue 🥇
The same issue, using (vue3-lottie)
node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.
Same issue using react built with vite.
node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.
+1
+1
Same here, lit environment
Tell us about your environment
What did you do? Please explain the steps you took before you encountered the problem.
What did you expect to happen?
What actually happened? Please include as much relevant detail as possible.
Please provide a download link to the After Effects file that demonstrates the problem.