search

kbss-cvut / s-forms

SForms - Semantic form generator and processor. For ontology-based smart forms.
GNU Lesser General Public License v3.0
4 stars 7 forks source link

Dependent package "store" is using eval that is discouraged to use #284

Open blcham opened 5 months ago

blcham commented 5 months ago

Reported by https://github.com/shellyear.

When using SForms library in record-manager-ui, we encountered the problem when running npm run build:

node_modules/store/pugins/lib/json2.js (493:20) Use of eval in "node_modules/store/plugins/lib/json2.js"
is strongly discouraged as it poses security risk and may cause issues with minification.

The root cause is the "eval" function being used inside node_modules/store/plugins/lib/json2.js. The "store" package is being used inside of @kbss-cvut/s-forms, in one of its dependencies. Eval by itself is not recommended to use in js, due to security issues

Related version of SForms: @kbss-cvut/s-forms@0.7.1-beta-48c6cc4.0

image

The solution should be to not rely on packages that use eval. Maybe update the dependent package?

blcham commented 5 months ago

Note that solution to this issue might be also putting questions depending on yasgui functionality into a separate SForms components project (as it is natural anyway) -- which would also solve https://github.com/kbss-cvut/s-forms/issues/283