sindresorhus/conf

Content Security Policy infringing code

kyranjamie opened this issue · 1 comments

This package depends on ajv which internally uses new Function(..., sourcecode), equivalent to eval(). This is documented in their readme.

The result of this is that any package bundling conf (or electron-store) infringes secure CSPs. That is, a CSP without an 'unsafe-eval' directive.

Ideally, a package shouldn't prohibit use of a strict CSP.

  • Are there any workarounds I'm not aware of that can be documented?
  • Does this package need to be modularised so that those with no CSP & wanting schema validation can have this functionality?

A workaround can be found in this PR leather-io/desktop#299

If you don't need to use the schema validation functionality, omit ajv, and create an alias to a stub.

plugins: [
  new webpack.IgnorePlugin(/ajv/, /^conf$/),
]