search

plouc / nivo

nivo provides a rich set of dataviz components, built on top of the awesome d3 and React libraries
https://nivo.rocks
MIT License
13.08k stars 1.02k forks source link

Nivo doesn't work with CSP policy unsafe-eval #1522

Closed simonauner closed 3 years ago

simonauner commented 3 years ago

First of all: thanks for a great package!

See this as a bug/feature request/friendly reminder for future versions.

Nivo's dependency react-spring/core has an unsafe eval (https://github.com/pmndrs/react-spring/issues/1423) that causes pages with nivo to not render.

Describe/explain the bug When rendering nivo charts, exception is thrown if CSP policy unsafe-eval isn't allowed.

To Reproduce

Steps to reproduce the behavior:

  1. Create a simple React project with nivo newer than 65
  2. Create a server that sets sensible CSP defaults:
const express = require('express');
const helmet = require('helmet');

const server = express();

server.use(compression());
server.use(
    helmet({
        contentSecurityPolicy: {
            directives: {
                ...helmet.contentSecurityPolicy.getDefaultDirectives(),
            },
        },
    })
);

server.use('/public', express.static('public'));

server.listen(port, function () {
    console.log('Listening on port ' + port);
});

Expected behavior Server should be able to render the page.

Actual behavior

Server won't send the bundled files.

Screenshots image

Additional context

Perhaps downgrade to a version of @react-spring/core before this issue was introduced - or keep this as a reminder to update once https://github.com/pmndrs/react-spring/issues/1423 is resolved. Nivo v. 65 works fine, so I'll keep to that for now.

joealden commented 3 years ago

This has supposedly been resolved in react-spring@9.2.0.

simonauner commented 3 years ago

If no one gets to it before me I can run a local version of Nivo with react-spring 9.2.0 next week and see if it solves the problem!

On Thu, 27 May 2021, 18:57 Joe Alden, @.***> wrote:

This has supposedly been resolved in @.*** https://github.com/pmndrs/react-spring/releases/tag/v9.2.0.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/plouc/nivo/issues/1522#issuecomment-849790961, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKID2ZVVBURCP2STZBWEILTPZ2YZANCNFSM45AECEBA .

tony-scio commented 3 years ago

FWIW, I forced "resolutions": { "@react-spring/web": "^9.2.0" }, in my app that's using 0.70.0 and everything appears to work still (I'm using bar, line and pie). This was by no means comprehensive testing.

eranelbaz commented 3 years ago

Hey! We are using nivo to render graphs in our application, and we encounter this problem daily and it affect our users...

can you guys release version of nivo that include this pull request? Thanks!

@wyze

wyze commented 3 years ago

I'll shoot for next week after I return from vacation.

fkocovski commented 3 years ago

I will also pitch in here, we are facing the same issue. Our CSP does not allow for unsafe-eval. Any news when a new version will be released supporting this?

wyze commented 3 years ago

@fkocovski Should be fixed as of v0.71.0.