From 36244ea28dd5964a7faee96b4d100b939c037857 Mon Sep 17 00:00:00 2001 From: Kris Zyp Date: Mon, 7 Nov 2022 07:52:13 -0700 Subject: [PATCH] Provide build that with no eval/Function #86 --- README.md | 3 +++ package.json | 5 +++-- rollup.config.js | 35 +++++++++++++++++++++++++++++++---- unpack.js | 2 ++ 4 files changed, 39 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5ff4e5d..35aaf53 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,9 @@ For module-based development, it is recommended that you directly import the mod import { unpack } from 'msgpackr/unpack' // if you only need to unpack ``` +The package also includes a minified bundle in index.min.js. +Additionally, the package includes a version that excludes dynamic code evaluation called index-no-eval.js, for situations where Content Security Policy (CSP) forbids eval/Function in code. The dynamic evaluation provides important performance optimizations (for records), so is not recommended unless required by CSP policy. + ## Structured Cloning You can also use msgpackr for [structured cloning](https://html.spec.whatwg.org/multipage/structured-data.html). By enabling the `structuredClone` option, you can include references to other objects or cyclic references, and object identity will be preserved. Structured cloning also enables preserving certain typed objects like `Error`, `Set`, `RegExp` and TypedArray instances. For example: ```js diff --git a/package.json b/package.json index c0337e9..0738590 100644 --- a/package.json +++ b/package.json @@ -75,14 +75,15 @@ "msgpackr-extract": "^2.1.2" }, "devDependencies": { - "@rollup/plugin-json": "^4.1.0", + "@rollup/plugin-json": "^5.0.1", + "@rollup/plugin-replace": "^5.0.1", "@types/node": "latest", "async": "^3", "chai": "^4.3.4", "cpy-cli": "^4.1.0", "esm": "^3.2.25", "mocha": "^8.1.3", - "rollup": "^1.20.3", + "rollup": "^3.2.5", "rollup-plugin-babel-minify": "^9.0.0" } } diff --git a/rollup.config.js b/rollup.config.js index bdc1b8f..910bc05 100644 --- a/rollup.config.js +++ b/rollup.config.js @@ -1,5 +1,6 @@ import minify from "rollup-plugin-babel-minify"; -import json from "@rollup/plugin-json"; +import json from "@rollup/plugin-json"; +import replace from "@rollup/plugin-replace"; export default [ { @@ -20,11 +21,24 @@ export default [ name: "msgpackr", sourcemap: true } - }, + }, + { + input: "index.js", + plugins: [ + replace({ Function: 'BlockedFunction '}) + ], + output: { + file: "dist/index-no-eval.js", + format: "umd", + name: "msgpackr", + sourcemap: true + }, + }, { input: "index.js", - plugins: [minify({ - })], + plugins: [ + minify({}) + ], output: { file: "dist/index.min.js", format: "umd", @@ -32,6 +46,19 @@ export default [ sourcemap: true } }, + { + input: "index.js", + plugins: [ + replace({ Function: 'BlockedFunction '}), + minify({}) + ], + output: { + file: "dist/index-no-eval.min.js", + format: "umd", + name: "msgpackr", + sourcemap: true + } + }, { input: "tests/test.js", plugins: [json()], diff --git a/unpack.js b/unpack.js index e55320d..3b131a4 100644 --- a/unpack.js +++ b/unpack.js @@ -28,6 +28,8 @@ C1.name = 'MessagePack 0xC1' var sequentialMode = false var inlineObjectReadThreshold = 2 var readStruct, onLoadedStructures, onSaveState +var BlockedFunction // we use search and replace to change the next call to BlockedFunction to avoid CSP issues for +// no-eval build try { new Function('') } catch(error) {