Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rollupjs build complains about the use of eval in this library. #18

Closed
siva-I opened this issue Jun 21, 2018 · 7 comments
Closed

Rollupjs build complains about the use of eval in this library. #18

siva-I opened this issue Jun 21, 2018 · 7 comments

Comments

@siva-I
Copy link

siva-I commented Jun 21, 2018

(!) Use of eval is strongly discouraged
https://github.com/rollup/rollup/wiki/Troubleshooting#avoiding-eval
node_modules/js-sha256/src/sha256.js
84:
85: var nodeWrap = function (method, is224) {
86: var crypto = eval("require('crypto')");
^
87: var Buffer = eval("require('buffer').Buffer");
88: var algorithm = is224 ? 'sha224' : 'sha256';
...and 1 other occurrence
created dist/transactionmgmt.dev.js in 4.7s

[2018-06-21 10:33:00] waiting for changes...
screen shot 2018-06-21 at 10 35 13 am
@emn178
Copy link
Owner

emn178 commented Jun 22, 2018

This is because emn178/js-md5#8
And I found it won't polyfill unused code in this way.

@dorono dorono mentioned this issue Mar 11, 2019
Closed
@gmiklich
Copy link

Can it be changed to a dynamic import or anything along those lines to avoid the use of eval()?

@lmm-git
Copy link

lmm-git commented Jun 16, 2021

Even more, this prevents us from not using 'unsafe-eval' in our Content Security Policy. Any chance that this one get fixed?

@hornet-9 hornet-9 mentioned this issue Mar 11, 2022
Closed
@NewDark90 NewDark90 mentioned this issue Apr 13, 2022
Closed
@sidmohanty11 sidmohanty11 mentioned this issue Jun 27, 2022
Open
@ivands
Copy link

ivands commented Jun 27, 2022
edited
Loading

It also breaks in vitejs. We need a fix.

@hansottowirtz
Copy link

As a fix, you can replace the eval strings in the library during build.
In rollup.config.js:

import replace from "rollup-plugin-re";

export default {
  ...,
  plugins: [
    replace({
      patterns: [
        {
          match: /js-sha256/,
          test: `eval("require('crypto')")`,
          replace: `require('crypto')`
        },
        {
          match: /js-sha256/,
          test: `eval("require('buffer').Buffer")`,
          replace: `require('buffer').Buffer`
        }
      ],
    }),
  ]
}

@juhoha
Copy link

juhoha commented Oct 19, 2022

An alternative to suppress warnings in vite.config.js:

export default defineConfig({
  build: {
    rollupOptions: {
      onwarn: ({ loc }) => {
        if (loc?.file?.match(/js-sha256\/src\/sha256.js$/))
            return;
      } 
  }
});

@jira-to-github-migrator jira-to-github-migrator bot mentioned this issue Aug 12, 2023
Closed
emn178 added a commit that referenced this issue Aug 30, 2023
@emn178
## v0.10.0 / 2023-08-30
bb8ae3a 
### Fixed
- Chrome bug by workaround. #40
- deprecated `new Buffer`, replace with `Buffer.from`. #34
- dependencies and security issues. #32, #36

### Changed
- TypeScript interface, secretKey can be bytes like message. #23, #25
- remove `eval` and use `require` directly. #18, #26
@emn178
Copy link
Owner

emn178 commented Aug 30, 2023

remove eval in v0.10.0

@emn178 emn178 closed this as completed Aug 30, 2023
@combacsa combacsa mentioned this issue Sep 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ivands @lmm-git @juhoha @emn178 @hansottowirtz @gmiklich @siva-I