Fix 'unsafe-eval' CSP issue #2672

cherniavskii · 2024-01-26T13:24:05Z

Summary

Fixes #713
See #713 (comment) for explanation.
I've used patch-package to patch the jszip dependency that is using new Function() that violates CSP rules.
The new build of exceljs doesn't include the new Function() anymore.

Test plan

I'll prepare before/after demos later as it's tricky to do with Codesandbox/Stackblitz

Related to source code (for typings update)

cherniavskii · 2024-01-26T13:24:44Z

.gitignore

@@ -53,8 +53,6 @@ spec/integration/data/gold
 /spec/manual/public/exceljs.js
 /spec/manual/public/exceljs.min.js

-package-lock.json


patch-package requires package-lock to work. I can extract this to a separate PR if necessary

cherniavskii · 2024-01-26T13:26:50Z

patches/jszip+3.10.1.patch

+-      // Callback can either be a function or a string
+-      if (typeof callback !== "function") {
+-        callback = new Function("" + callback);
+-      }


We never pass a string to setImmediate, so it's safe to remove.

The changes below in jszip.min.js are the same, but the diff looks weird because it's a single-line file 🙃

cherniavskii added 3 commits January 26, 2024 13:03

add package-lock

6418ab4

install patch-package

34577b5

patch jszip to not use new Function()

779c404

cherniavskii commented Jan 26, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix 'unsafe-eval' CSP issue #2672

Fix 'unsafe-eval' CSP issue #2672

cherniavskii commented Jan 26, 2024

cherniavskii Jan 26, 2024

cherniavskii Jan 26, 2024

Fix 'unsafe-eval' CSP issue #2672

Are you sure you want to change the base?

Fix 'unsafe-eval' CSP issue #2672

Conversation

cherniavskii commented Jan 26, 2024

Summary

Test plan

Related to source code (for typings update)

cherniavskii Jan 26, 2024

Choose a reason for hiding this comment

cherniavskii Jan 26, 2024

Choose a reason for hiding this comment