-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification. #2927
Comments
This was flagged up in my Svelte build V3. If this is not going to change, would be good to have an explanation as to why this is not considered a security risk. |
I am also getting this same in my Vite/Vue 3 build. Would love an explanation or a fix. |
I am also having this issue in a Vite/React build that is deploying to Netlify. Any help would be appreciated! |
Getting the same issue on |
I'm using the solution found here: #289 Replacing Edit: no I am not, the SVG renderer is acting weird. |
Hi don't know if it is relevant npm package with the change: |
Any updates on this? |
I'm also interested in a solution to this. |
Fix this please. |
any updates?? |
I am curious if @bodymovin or anyone else in the Airbnb/Lottie community could help shed some light on what's going on here. Lottie is a great tool that enables some delightful animations that are dififcult for any other tool to match, but it looks like it's suffering from some serious neglect as of late. I'm frankly a bit discouraged by the 40+ open pull requests that have been sitting for months, some of them as simple as fixing a typo. Are the maintainers interested in fixing this issue and it's just a matter of prioritization? Or have the maintainers moved on and even if a fix were to be available, no one would have the bandwidth to review and merge it? I'm bringing this up as a B2B app with an obligation to review flagged security issues in my software bill of materials. To have an issue like this open for 10 months with no official word on what's going on is concerning. I'm happy to help and do my part - I or someone on my team can look into reorganizing the code to not depend on eval, but I don't want to spend the time if it'll just result in one more on the stack of open PRs in this project. |
same issue here, any updates? |
up |
Same issue in my sveltekit app |
Looks like an active issue. bumping in for the updates |
Same same |
Same for us - seems like a major security risk regarding 1.7m weekly downloads?! |
Same issue on Vite/React build that I am deploying to Netlify. |
Same:
using Quasar/Vue.js/Vite with vue3-lottie which depends on lottie-web version 5.12.2 |
same issue on vite/vue-ts |
Same issue |
Replacing the line in /build/player/lottie.js fixes it:
|
+1 |
1 similar comment
+1 |
Yep same problem with vite 4.1.1 Switching to lottie-light causes issues with color transitioning/rendering for us. |
+1 |
same here |
Same here |
I got a workaround by adding these configs to my compiler options in
|
Could you elaborate how this helps? Does this suppress the error or solve/work around the issue? |
Same issue here. Vite as bundler. |
I have exact same issue 🥇 |
The same issue, using (vue3-lottie)
|
Same issue using react built with vite.
|
+1 |
1 similar comment
+1 |
Same here, lit environment |
Same problem, Using Vite |
Thanks for the tip 🙏 @mchughbri, this worked for me!
I worked around this as a part of my build process by using vite-plugin-filter-replace. For anyone else who encounters this issue my vite.config.ts looks like: import filterReplace from 'vite-plugin-filter-replace';
export default defineConfig(({ mode }) => {
return {
plugins: [
// Workaround warning with lottie - https://github.com/airbnb/lottie-web/issues/2927
filterReplace([
{
filter: ['node_modules/lottie-web/build/player/lottie.js'],
replace: {
from: 'eval(\'[function _expression_function(){\' + val + \';scoped_bm_rt=$bm_rt}]\')[0]',
to: '(new Function(\'scoped_bm_rt\', val + \';return $bm_rt;\'))()'
}
}
]),
],
}) I see @yoni12ab opened PR #2998 to address this but their hasn't been any movement there in a year. 🤷 |
The workaround above doesn't work for me. But this similar and more complex workaround works for all animations we use: import { defineConfig } from 'vite';
import filterReplace from 'vite-plugin-filter-replace';
const lottieScopeVariables = [
'value',
'content',
'loopOut',
'numKeys',
'$bm_mul',
'$bm_sum',
'$bm_sub',
'$bm_div',
'$bm_mod',
'$bm_isInstanceOfArray',
'$bm_transform',
'anchorPoint',
'time',
'velocity',
'inPoint',
'outPoint',
'width',
'height',
'name',
'loop_in',
'loop_out',
'smooth',
'toComp',
'fromCompToSurface',
'toWorld',
'fromWorld',
'mask',
'position',
'rotation',
'scale',
'thisComp',
'active',
'wiggle',
'loopInDuration',
'loopOutDuration',
'comp',
'lookAt',
'easeOut',
'easeIn',
'ease',
'nearestKey',
'key',
'text',
'textIndex',
'textTotal',
'selectorValue',
'framesToTime',
'timeToFrames',
'sourceRectAtTime',
'substring',
'substr',
'posterizeTime',
'index',
'globalData',
'frames',
'$bm_neg',
'add',
'clamp',
'radians_to_degrees',
'degreesToRadians',
'degrees_to_radians',
'normalize',
'rgbToHsl',
'hslToRgb',
'linear',
'random',
'createPath',
'_lottieGlobal',
'transform',
'effect',
'thisProperty',
'loopIn',
'fromComp',
'thisLayer',
'valueAtTime',
'velocityAtTime',
];
// https://vitejs.dev/config/
export default defineConfig({
plugins: [
// workaround for a warning with lottie https://github.com/airbnb/lottie-web/issues/2927
filterReplace([
{
filter: ['node_modules/lottie-web/build/player/lottie.js'],
replace: {
from: "eval('[function _expression_function(){' + val + ';scoped_bm_rt=$bm_rt}]')[0]",
to: `
function _expression_function() {
var valToEval = val;
scoped_bm_rt = (new Function(
'valToEval', ${lottieScopeVariables.map((v) => `'${v}'`).join(',')},
'try {'
+ val + \`;
return $bm_rt;
} catch (e) {
console.error("Error in lottie-web workaround. Fix the issue in vite.config.ts:", e, "Failed expression:", valToEval);
throw e;
}\`
))(valToEval, ${lottieScopeVariables.join(',')});
}`,
},
},
]),
],
}); |
Same problem using Vite |
I'm experiencing essentially the same issue with a slightly different path: node_modules/@lottiefiles/react-lottie-player/dist/lottie-react.esm.js (15:263172): Use of eval in "node_modules/@lottiefiles/react-lottie-player/dist/lottie-react.esm.js" is strongly discouraged as it poses security risks and may cause issues with minification. I tried the above workarounds, adding a filterReplace plugin to my vite.config.ts file, and altered the path to match that from my error message, however neither of the above workarounds worked for me. |
In your case problem is in You can try changing
it will probably work. |
+1 |
same issue in Vite build |
Same Issues with React |
Same issue on building a chrome extension with svelte, although the solution of importing lottie_light works, would be good to have a proper solution |
@mchughbri Sorry but how is new Function is less vulnerable than eval, if it is the same thing??? |
It is not stated that this fix removes possible vulnerabilities. It supresses annoying warnings. On the other hand, |
@mrlika The bad warning is better than silent vulnerability, even if it is annoying. It could be supply chain attack, and it could be abused to execute user input. |
Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.
The text was updated successfully, but these errors were encountered: