Request: Provide option to drop in alternate validator

[sportnak]

Prerequisites

• I have read the documentation;
• In the case of a bug report, I understand that providing a SSCCE example is tremendously useful to the maintainers.

Description

We currently have a content security policy set up that doesn't allow for unsafe-eval or the use of the function constructor. In one of the most recent updates, jsonschema was replaced with ajv.

Ajv uses the function constructor while json schema does not. I currently have prevented upgrading past v0.51.0. Ajv's response to this is to precompile schemas which isn't quite useful since I would like to provide a form editor.

I'd like to be able to drop ajv in favor of json-schema or some other validation module, without necessarily being stuck in time.

Steps to Reproduce

https://github.com/epoberezkin/ajv/blob/master/lib/compile/index.js#L118 is where the function constructor is run.

Version

0.51.0 uses json-schema
^0.52.0 uses ajv

[manahga]

I must say that I wish a little more time had been invested on the decision to swap out the validation library. Our group is spending time updating our code due to subtle changes/issues in validation due to the switch to the ajv library. Major changes to subsystems like this really need more scrutiny/testing in the future as each dependent library (jsonschema, ajv, etc...) comes with it's own inherent quirks/issues.

[doncesarts]

There is a pending pull request that might interest you regarding to the AJV .

#794

[epicfaace]

@sportnak hmm, that might be hard to do, given that a lot of our error code and other functionality we support (custom meta schemas, custom formates, etc.) is now ajv-specific. Do you have an idea of how supporting alternate validators would work?

[sleiyer]

@epicfaace I know this is an older issue but our team has also recently ran into this when adopting react-jsonschema-form into our production environment.

It seems like ajv is here to stay given the progress that's been made since this issue was originally created.

Are there alternatives to precompile schemas that we can use w/o introducing unsafe-eval in our CSP? I curious to know what other production adoptions have been doing I imagine adding unsafe-eval would be an uncommon setup for most companies.

[megantaylor]

my team ended up forking react-jsonschema-form and swapping out ajv for jsonschema for validation. solved our CSP problem, but was a real pain to do and will continue to be a pain to maintain. would be awesome if that was just an option in this library.

[epicfaace]

@megantaylor I think the main sticking point is that jsonschema and ajv have different formats of errors. If we could come up with a common structure for errors that both AJV and jsonschema errors could be converted to, then we should be able to use either ajv / jsonschema for validation. Do you think you might be able to help with that?

[megantaylor]

i would be interested in working on that, but right now i'm juggling too much already. 😞

[epicfaace]

closing in favor of #2693 instead