update core-js version in html_dependency_corejs()
Opened this issue · 3 comments
Hi, thanks for awesome work.
When reactR
used in Quarto HTML page and commited to github.
This will cause security problem like below.
*note, above image says that issue closed (since I changed to not use reactR
in that code)
To reproduce this, use below as contents of index.qmd
and render with quarto. (Which is example from readme)
```{r}
library(reactR)
library(htmltools)
browsable(tagList(
tags$div(id = "app"),
tags$script(
"
ReactDOM.render(
React.createElement(
'h1',
null,
'Powered by React'
),
document.getElementById('app')
)
"
),
#add core-js first to work in RStudio Viewer
html_dependency_corejs(),
html_dependency_react()
))
```
Actually, used the core-js-2.5.3
version of the javascript library will cause this problem.
and the code
html_dependency_corejs()
which is actually works as below
htmltools::htmlDependency(name = "core-js", version = "2.5.3",
src = c(file = system.file("www/core-js/", package = "reactR")),
script = "shim.min.js")
cause this.
to solve this. updating version from 2.5.3 to further version which is not use grunt-karma
as <=4.0.1 or latest(3.37.1) can be considered.
Note
I don't think core-js
is required any more o to work in Rstudio viewer at now (2024)
Thanks.
@jhk0530 Thanks so much. You are correct that core-js
is no longer required, but I do feel like I should continue to include for anyone on legacy setups. I plan to push 0.6.0
to CRAN this week, but I am worried this might require testing that would delay this release. Over the next couple of weeks, I'll try to
- update
core-js
tocore-js-bundle@3.37.1
which unfortunately is 229kb versus previous 85.9kb - remove
core-js
from the default dependencies in the templates but any widgets and inputs built with prior templates will still by default includecore-js
. Updatedcore-js
in step 1 should mean though that everything works.
@glin any thoughts or concerns?
@timelyportfolio No concerns, I doubt core-js
is still necessary in >99% of cases. I had also wanted to remove core-js from reactable a few years ago during the IE11 EOL because of its added size, and that it was getting flagged for vulnerabilities (glin/reactable#245 (comment))
Removing it by default but leaving it in the package to opt into sounds like a good idea.
Hi! I'm encountering the same issue with reactR 0.6.1
. It's still using core-js 2.5.3
as pointed out by @jhk0530 in this fragment of code:
#' Shim Dependency for React in RStudio Viewer
#'
#' Add this first for 'React' to work in RStudio Viewer.
#'
#' @return \code{\link[htmltools]{htmlDependency}}
#' @importFrom htmltools htmlDependency
#' @export
html_dependency_corejs <- function() {
#shim/polyfill for ES5 and ES6 so react will show up in RStudio Viewer
#https://unpkg.com/core-js@2.5.3/
htmltools::htmlDependency(
name = "core-js",
version = "2.5.3",
src = c(file=system.file("www/core-js/", package="reactR")),
script = "shim.min.js"
)
}
In my case, the vulnerabilities arise when using the reactable
package, which depends on reactR
.
Would it be possible to update this dependency to core-js 3.x
? If it's not strictly necessary anymore, removing it might be an option, though I’m not sure if that’s viable.
Thanks for your work on this package!