search

brocaar / chirpstack-api

ChirpStack API (Protobuf & gRPC)
MIT License
67 stars 82 forks source link

Use of eval in google-protobuf.js #69

Closed 128keaton closed 6 months ago

128keaton commented 6 months ago

What happened?

I am using @chirpstack/api inside of a Sveltekit project and Rollup.js complains about the use of eval in the Google Protobuf JS library:

node_modules/google-protobuf/google-protobuf.js (27:206): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.
node_modules/google-protobuf/google-protobuf.js (29:315): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.
node_modules/google-protobuf/google-protobuf.js (48:475): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.

What did you expect?

I would love to not have these warnings and maybe even trim my bundle size down a bit. I looked into using protobuf.js but they do not implement the Timestamp field.

Steps to reproduce this issue

Steps:

  1. Create a Sveltekit project
  2. Import relevant Chirpstack protobuffer imports (see below)
  3. Do a production build (vite build)

Could you share your log output?

node_modules/google-protobuf/google-protobuf.js (27:206): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.
node_modules/google-protobuf/google-protobuf.js (29:315): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.
node_modules/google-protobuf/google-protobuf.js (48:475): Use of eval in "node_modules/google-protobuf/google-protobuf.js" is strongly discouraged as it poses security risks and may cause issues with minification.

Your Environment

Component Version
ChirpStack API v4.70

Imports

import device_pb from '@chirpstack/chirpstack-api/api/device_pb';
import timestamp_pb from 'google-protobuf/google/protobuf/timestamp_pb';
import device_grpc_pb from '@chirpstack/chirpstack-api/api/device_grpc_pb';
import device_profile_grpc_pb from '@chirpstack/chirpstack-api/api/device_profile_grpc_pb';
import device_profile_pb from '@chirpstack/chirpstack-api/api/device_profile_pb';

const {
    CreateDeviceRequest,
    Device,
    ListDevicesRequest,
    GetDeviceRequest,
    DeleteDeviceRequest,
    DeviceKeys,
    CreateDeviceKeysRequest,
    UpdateDeviceKeysRequest,
    GetDeviceKeysRequest,
    GetDeviceMetricsRequest,
    UpdateDeviceRequest
} = device_pb;
const { DeviceServiceClient } = device_grpc_pb;
const { DeviceProfileServiceClient } = device_profile_grpc_pb;
const { ListDeviceProfilesRequest } = device_profile_pb;
brocaar commented 6 months ago

For ChirpStack v4, please use: https://github.com/chirpstack/chirpstack/. This repo contains as well the API definitions. This repo is for v3.

Rollup.js complains about the use of eval in the Google Protobuf JS library

I'm not sure if there is anything that I can do about this as this is an external dependency. I have checked, but I'm already using the latest version from NPM.

128keaton commented 6 months ago

@brocaar you are correct, I am so sorry, I should've double-checked my repos... and imports. Thanks!