Open dndrsn opened 4 months ago
Yep, we are rolling back the version we use due to this.
We're also facing the same issue and it's severely impacting us.
Can you please advise.
Tagging @veu to ensure developers are aware of this, not to be pushy but because there's no indication that this is known.
We're locked at 10.8.10 until this is resolved.
Our restructuring of the project and bundling will fix this. It will remove the eval
which triggers the warning. An alpha version to test is coming soon!
Follow progress of the (massive) PR here: #2169
If interested, we have an alpha release available as we prep for a full release.
https://www.npmjs.com/package/contentful/v/11.0.0-next.1 if you're interested in checking it out
@mgoudy91 Do you have any idea about the full release date ?
@mgoudy91 any news on v11 full release date? We're between a rock and a hard place because v10.8 uses an insecure version of axios, and 10.9+ carries this CSP issue.
Hey @attalbialami and @tplante appreciate your patience and sorry for the delay. We're working on getting the full release out this week, I'll keep you updated in this channel when that's available
Quick update, we're investigating an issue and will likely not have the update out this week, and think early next might be more accurate. This remains a high priority for us and will continue to update here.
@mgoudy91 what is the latest with the release?
Expected Behavior
JavaScript
eval
not to be required.Actual Behavior
CSP violation error if CSP is not set to allow
unsafe-eval
. This issue was introduced in version 10.9.0. Version 10.8.10 works as expected without any issue.Possible Solution
Remove/refactor change introduced in version 10.9.0 which uses eval.
Steps to Reproduce
Create webpage with any CSP that does not allow
unsafe-eval
. Load page in browser.This same issue occurred previously -- https://github.com/contentful/contentful.js/issues/1881