You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are some usages of Function in the lodash package, which requires unsafe-eval to be used. In the built version https://github.com/jshint/jshint/blob/master/dist/jshint.js you can find Function('return this')(); and Function(importsKeys, sourceURL + 'return ' + source). The second one is not used at all.
This makes usage of JSHint impossible in restricted environments, where only script-src: self is set. Any chance to remove them?
More information about Unsafe eval expessions.
The text was updated successfully, but these errors were encountered:
Thanks for taking the time to file an issue! Lodash is expected to load "just fine" in a CSP-restricted environment. Judging from that library's source code, it seems as though an error will only be encountered if the binding named self is not defined globally. Is that the case for you?
Hello! The problem is that scan tools report such usages, even if not used. The issue you have referenced is from 2014, and back then this code wasn't part of root.js. I've found that this is already addressed with lodash/lodash#4985 and globalThis is suggested.
For the other occurence of eval, which is in lodash.template - since you are not using this function, is it possible to prune it from your bundle? It will also decrease the total size.
jugglinmike
changed the title
CSP 'script-src' directive is violated
Browser bundle includes an eval pattern, triggering some static analysis
Aug 29, 2021
Got it. I've updated the title of this issue since there aren't any known Content-Security Policy violations.
A sufficiently advanced build process would likely infer that JSHint doesn't use the offending code and omit it from the final product. Unfortunately, this project's build system is not up to the task right now. I'll gladly review patches to modernize it!
Hello,
There are some usages of
Function
in the lodash package, which requiresunsafe-eval
to be used. In the built version https://github.com/jshint/jshint/blob/master/dist/jshint.js you can findFunction('return this')();
andFunction(importsKeys, sourceURL + 'return ' + source)
. The second one is not used at all.This makes usage of JSHint impossible in restricted environments, where only
script-src: self
is set. Any chance to remove them?More information about Unsafe eval expessions.
The text was updated successfully, but these errors were encountered: