search

airbnb / lottie-web

Render After Effects animations natively on Web, Android and iOS, and React Native. http://airbnb.io/lottie/
MIT License
29.86k stars 2.85k forks source link

Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification. #2927

Open Abdel-Monaam-Aouini opened 1 year ago

Abdel-Monaam-Aouini commented 1 year ago

Tell us about your environment

What did you do? Please explain the steps you took before you encountered the problem.

What did you expect to happen?

What actually happened? Please include as much relevant detail as possible.

Please provide a download link to the After Effects file that demonstrates the problem.

wardourdigital commented 1 year ago

This was flagged up in my Svelte build V3.

If this is not going to change, would be good to have an explanation as to why this is not considered a security risk.

benjaminprojas commented 1 year ago

I am also getting this same in my Vite/Vue 3 build. Would love an explanation or a fix.

br-schneider commented 1 year ago

I am also having this issue in a Vite/React build that is deploying to Netlify. Any help would be appreciated!

nik-1236789 commented 1 year ago

Getting the same issue on vite build, when trying to run on Amplify -> Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

ivkoandrv commented 1 year ago

Hello everyone, Same issue.

image
kvengerov commented 1 year ago

Hello everyone, Same issue with highlight.js/lib/languages/wren.js

Screenshot 2023-05-05 at 16 13 49
hassanmehdi98 commented 1 year ago

Same issue with React/Vite4 build on local machine Screenshot 2023-05-16 at 2 49 24 PM

Abdel-Monaam-Aouini commented 1 year ago

image

georgesa commented 1 year ago

I'm using the solution found here: https://github.com/airbnb/lottie-web/issues/289

Replacing import lottie from "lottie-web"; with import lottie from "lottie-web/build/player/lottie_light"; and using renderer: "svg", worked for me.

Edit: no I am not, the SVG renderer is acting weird.

yoni12ab commented 1 year ago

Hi don't know if it is relevant manage to change 'ExpressionManager.js' so you can pass a function instead of passing function in string, and run the function instead of eval, demo: https://stackblitz.com/edit/typescript-xm1gpw?file=lottie.ts

npm package with the change: @sentinel-one/lottie-web-no-eval

pr: https://github.com/airbnb/lottie-web/pull/2998/files#diff-5b04d0c8bca59b39ce8c6631676a283b79119d8e04872b1332d9f0127db51f57

mat-jaworski commented 9 months ago

Any updates on this?

zachrattner commented 9 months ago

I'm also interested in a solution to this.

aenzenith commented 8 months ago

Fix this please.

kuzeofficial commented 8 months ago

any updates??

zachrattner commented 8 months ago

I am curious if @bodymovin or anyone else in the Airbnb/Lottie community could help shed some light on what's going on here.

Lottie is a great tool that enables some delightful animations that are dififcult for any other tool to match, but it looks like it's suffering from some serious neglect as of late. I'm frankly a bit discouraged by the 40+ open pull requests that have been sitting for months, some of them as simple as fixing a typo.

Are the maintainers interested in fixing this issue and it's just a matter of prioritization? Or have the maintainers moved on and even if a fix were to be available, no one would have the bandwidth to review and merge it?

I'm bringing this up as a B2B app with an obligation to review flagged security issues in my software bill of materials. To have an issue like this open for 10 months with no official word on what's going on is concerning.

I'm happy to help and do my part - I or someone on my team can look into reorganizing the code to not depend on eval, but I don't want to spend the time if it'll just result in one more on the stack of open PRs in this project.

ericklarsen commented 7 months ago

same issue here, any updates?

fscaringi commented 7 months ago

up

Simo-CE commented 7 months ago

Same issue in my sveltekit app "svelte": "^3.54.0", "lottie-svelte": "^1.3.5"

dextel2 commented 7 months ago

Looks like an active issue. bumping in for the updates

cthier-eb commented 7 months ago

Same same

roger-hermasch commented 7 months ago

Same for us - seems like a major security risk regarding 1.7m weekly downloads?!

danlevison commented 7 months ago

Same issue on Vite/React build that I am deploying to Netlify.

54mu3l commented 6 months ago

Same:

node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

using Quasar/Vue.js/Vite with vue3-lottie which depends on lottie-web version 5.12.2

amantiwari1 commented 6 months ago

same issue on vite/vue-ts

PainterPuppets commented 5 months ago

Same issue

tawanaj commented 5 months ago

Seeing the same issue here with a vite/react build

Screenshot 2024-01-16 at 11 54 40 AM

mchughbri commented 5 months ago

Replacing the line in /build/player/lottie.js fixes it:

var expression_function = eval('[function _expression_function(){' + val + ';scoped_bm_rt=$bm_rt}]')[0]; with

var expression_function = (new Function('scoped_bm_rt', val + ';return $bm_rt;'))();

jorisw commented 4 months ago

Apparently the supported way to work around this is by importing directly from a Lottie-light file:

Replacing import lottie from "lottie-web"; with import lottie from "lottie-web/build/player/lottie_light"; and using renderer: "svg", worked for me.

SabiQG commented 3 months ago

Same issue on vite build

Sunny264 commented 3 months ago

Haven't it been resolved yet

nireld commented 3 months ago

+1

keriat commented 3 months ago

+1

okadots commented 2 months ago

Yep same problem with vite 4.1.1

Switching to lottie-light causes issues with color transitioning/rendering for us.

iZhangHao1997 commented 2 months ago

+1

eynomr commented 2 months ago

same here

gitVasile commented 2 months ago

Same here

ejirocodes commented 2 months ago

I got a workaround by adding these configs to my compiler options in tsconfig.json

 "compilerOptions": {
    "moduleResolution": "node", 
    "resolveJsonModule": true,
  },
jorisw commented 2 months ago

I got a workaround by adding these configs to my compiler options in tsconfig.json

 "compilerOptions": {
    "moduleResolution": "node", 
    "resolveJsonModule": true,
  },

Could you elaborate how this helps? Does this suppress the error or solve/work around the issue?

Tokkkyo commented 1 month ago

Same issue here. Vite as bundler. "name": "three-stdlib", "version": "2.29.11",

muba00 commented 1 month ago

I have exact same issue 🥇

rightup commented 1 month ago

The same issue, using (vue3-lottie)

node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

georgiosApo commented 1 month ago

Same issue using react built with vite.

node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

VsevolodKurochka commented 1 month ago

+1

k3vin-batista commented 1 month ago

+1

KearseTrevor commented 1 month ago

Same here, lit environment