Remove eval from frontend bundle #9731
Conversation
sfc-gh-vdonato
added
security-assessment-completed
kantuni
force-pushed
the
kantuni/remove-eval-from-frontend-bundle-v2
branch
2 times, most recently
from
ff5b2d8 to
aada623
Compare
…ck which in CI mode is considered an error
kantuni
force-pushed
the
kantuni/remove-eval-from-frontend-bundle-v2
branch
from
aada623 to
1f366f8
Compare
Do you have an idea of how we maintain this in the future, e.g. when we update the protobufjs version? When we update it and the patch does not work anymore / break things, will we see it in our e2e tests because it is completely broken? |
|
@kmcgrady Does this interfere with the frontend split effort / needs to be updated our are the changes compatible with each other? |
Hopefully, the next upgrade won't contain that piece (considering the rant around it). But if it does - it's trivial to apply the same update to the future versions. You open the file containing the eval (in this case |
This change should be compatible even with new package managers, as most of them support this functionality out-of-the-box. For example, for pnpm neither the |
kmcgrady
left a comment
kmcgrady
left a comment
There was a problem hiding this comment.
Yea. I don't think this should cause any issues with the frontend split work @raethlein. I approved it because the tests pass fine, and I assume this works fine in CSP-deployed environments.
@kantuni Will the install fail if someone upgrades the package? Would love to make sure we break hard if any changes occur.
@kmcgrady The patch simply won't be applied to the next version. It will print out a message saying that no patches were applied. That should gives a cue. I haven't found a way to break hard from install as it's a "postinstall" script. |
Thanks to @kmcgrady who found the |
## Describe your changes This PR blocks the use of `eval` in a browser environment. Please see [this](https://docs.google.com/document/d/1g-fczG7eV5CIIUDd5pnwvGkUn-SLf2vMZeBk9qj1Yk4/) spec for more info on why we need to remove it. This PR adds 2 packages: [patch-package](https://www.npmjs.com/package/patch-package) and [postinstall-postinstall](https://www.npmjs.com/package/postinstall-postinstall). The first one is used to patch `@protobufjs/inquire` which includes the `eval` (see protobufjs/protobuf.js#997 and protobufjs/protobuf.js#1548), and the second one is used to call `postinstall` on `yarn remove` as Yarn v1 only calls it on `yarn install` and `yarn add`. ## GitHub Issue Link (if applicable) [SNOW-1554237](https://snowflakecomputing.atlassian.net/browse/SNOW-1554237) ## Testing Plan - No tests required as there are no implementation changes. --- **Contribution License Agreement** By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.
Describe your changes
This PR blocks the use of
evalin a browser environment. Please see this spec for more info on why we need to remove it.This PR adds 2 packages: patch-package and postinstall-postinstall. The first one is used to patch
@protobufjs/inquirewhich includes theeval(see protobufjs/protobuf.js#997 and protobufjs/protobuf.js#1548), and the second one is used to callpostinstallonyarn removeas Yarn v1 only calls it onyarn installandyarn add.GitHub Issue Link (if applicable)
SNOW-1554237
Testing Plan
Contribution License Agreement
By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.