Using `eval` triggers security warning in the terminal

[dodanex]

Getting this warning in the terminal:

WARN  node_modules/@protobufjs/inquire/index.js (12:18): Use of eval in "node_modules/@protobufjs/inquire/index.js" is strongly discouraged as it poses security risks and may cause issues with minification.

Can the eval function be avoided?

[efer-ms]

The eval() statement is no longer in the github source tree, but we need a new public of @protobufjs/inquire, which hasn't been published in at least 5 years.

@mkruskal-google , not sure you can do this, or if someone else is more apropos.

Can you or some other owner bump the version for that package and publish a new version? All the references seem to be to ^1.1.0, so just publishing a new build as 1.1.1 should allow people to avoid eval() with resorting to local package "overrides" to replace the functionality.

Thanks!

[dynst]

Yep, it got removed in #1941 in December but there hasn't been a new release cut. https://www.npmjs.com/package/@protobufjs/inquire

[xrendan]

This prevents using firebase in cloudflare workers with opennextjs. A new cut would be lovely.

[efer-ms]

FYI... I have published a version of the package under a different name, so you can override the package in the root package.json of your project.

With something like this:

"overrides": {
    "protobufjs": {
      "@protobufjs/inquire": "npm:efer-ms_protobufjs_inquire_no_eval@1.1.2"
    }
}

The package is identical to the inquire packge here, other than changes to the package.json to have a different name and version, etc.

You could also override by pointing to the github repo: https://github.com/efer-ms/protobufjs_inquire where I made it the root package.

This can work until we get a proper package published here.

[mjones-vsat]

This would be very helpful.