Allow it to work on edge (e.g. cloudflare workers)
ValeryG opened this issue · 5 comments
There is already an issue for this , #2318, but it is closed. Suggestion there is not working when ajv is XX-layers down like eg: async-parser -> @stoplight/spectral->ajv and dynamic schema is validated, there is not visible to generate and pass validation function all the way down.
The version of Ajv you are using
latest
The environment you have the problem with
cloudflare worker
Your code (please make it as small as possible to reproduce the issue)
standard example from async-parser Example
Works in every browser and node env, except of cloudflare worker.
Results and error messages in your platform
Code generation from strings disallowed for this context
at new Function (<anonymous>)
at m.f
If there is no way to drop new Function
usage in general, maybe it could be made conditional? let's say if option.workerSafe
is passed as true, do something worker safe instead of new function?
I see, so the use of AJV within other projects preclude those projects from being used in cloudflare. I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare? It won't always be possible but not out of the question depending on the usage.
I say this because given how AJV works I can't think of a way to avoid using new Function
. Also worth noting, just in case it was a concern, that while new Function
is considered unsafe and not allowed on cloudflare, the way that AJV uses it is very safe and has been verified by many experts. Anything passed to new Function
has had to go through the typesafe codegen package which protects against any injection attacks etc.
Anyway, I am open to ideas but afaik we couldn't stop using new Function
.
I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare?
No, since the source files are fetched at runtime, there’s bo way to pre-build.
I see. Well I will leave this open. If anyone has any ideas on how to work around this or any proposals, we can discuss it.
As Cloudflare doesn't allow eval
or new Function
for security reasons, it may someday support ShadowRealm API if it gets approved by TC39 (it's currently in Stage 2.7 and Bun already supported it). At that time ajv should be able to migrate to the new API to make it work on edge runtimes.
Thanks for the info @Justineo, I will keep an eye out for that.