search

globalizejs / globalize

A JavaScript library for internationalization and localization that leverages the official Unicode CLDR JSON data
https://globalizejs.com
MIT License
4.8k stars 605 forks source link

new Func() in globalize dist folder #943

Open bomao-paypal opened 1 year ago

bomao-paypal commented 1 year ago

After installing globalize package, in node_modules/globalize/dist/globalize/message.js, we saw new Func() expression. This causes unsafe-eval issue.

Our app has dependency of relative-time package, relative-time package is internally called globalize which is exporting all modules such as date, currency, message, etc.. Then, we saw globalize/dist/globalize/message.js file contains below code snippet with new Func():

if (typeof messages == 'string') { var f = new Function( 'number, plural, select, pluralFuncs, fmt', 'return ' + compileMsg(this, messages)); return f(this.runtime.number, this.runtime.plural, this.runtime.select, this.runtime.pluralFuncs, this.runtime.fmt); }

We are not using message feature at all, so wondering if you can fix this, otherwise please let us know if there is any workaround for it, thanks.

rxaviers commented 8 months ago

Hi @bomao-paypal, I am open to consider including this enhancement. Thanks