Open imoye opened 2 years ago
+1
eval()
is also not available on certain environments such as Cloudflare Workers, which prevents this module, or anything that depends on it, from being used.
Getting these errors during a Vite build:
00:22:03 common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js (12:18) Use of eval in "common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js" is strongly discouraged as it poses security risks and may cause issues with minification.
00:23:24 common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js (12:18) Use of eval in "common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js" is strongly discouraged as it poses security risks and may cause issues with minification.
00:24:32 common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js (12:18) Use of eval in "common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js" is strongly discouraged as it poses security risks and may cause issues with minification.
00:24:42 common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js (12:18) Use of eval in "common/temp/node_modules/.pnpm/@protobufjs+inquire@1.1.0/node_modules/@protobufjs/inquire/index.js" is strongly discouraged as it poses security risks and may cause issues with minification.
It's not entirely clear why this is needed at all?
Why not var mod = require(moduleName);
?
Hi Protobufjs team! Are you planning on removing the usage of eval in the near future?
Same goes for Chrome Extensions using Manifest V3 - where it's also forbidden to use eval
☝🏽 absolutely, had to patch to run on MV3.
This is a huge issue for us as the page we are integrating into forbids eval
via CSP
same here
https://github.com/protobufjs/protobuf.js/pull/1941
I give it a try, more tests are needed.
In addition to the Vite errors, this issue causes runtime CSP errors in Firefox:
Content-Security-Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
Clicking the link in the browser console error takes you here:
I use this patch-package file:
The if (!util.hasOwnProperty("decorateRoot"))
part is to prevent an error of re-defining the same property when using HMR.
To try to move forward with this and close the Content Security Policy threads like #997, could some maintainer explain what problem the usage of eval
inside inquire
resolves precisely?
❓ Maybe the problem is no longer relevant?
By doing some archeology, it seems that eval
was shipped many years ago due to webpack 4 automagically bundling Buffer
for the web when it noticed require
.
Note that webpack 5 (released Nov 2020) has broke compat on this, and longer automagically ships nodejs polyfills.
So if that's the only reason, I'd suggest to cut a major version of protobufjs (8.0), and remove the usage of eval
.
Any updates? This completely breaks packaging ESM package because require
is not defined and this eval
is always running it.
I also got the problem while using @opentelemetry/exporter-trace-otlp-proto so I switch to @opentelemetry/exporter-trace-otlp-http. Less performant, but more secure at least...
I am also seeing this warning when building with vite, any updates?
Just got this error (July 2024)...
2 years have passed and the problem persists...
I try to use this package in Cloudflare Workers, and have the same trouble with the usage of eval()
.
Any ideas to solve this problem? Thanks for helping.
protobuf.js version: 6.10.2
https://rollupjs.org/guide/en/#avoiding-eval node_modules/@protobufjs/inquire/index.js