Cannot be used in a browser with a CSP set that does not include the unsafe-eval permission

[snoozbuster]

The usage of eval in Parser.ts prevents the library from being used in any browser-based application that disallows eval for security reasons. The error thrown is a generic "Cannot parse (valid grammar)" error, which may be the origin of the issue in #43.

[menduz]

Can you pin point the file including eval? From what I recall, this lib should not include it anywhere

[snoozbuster]

I included a link to the offending line in my OP. Parser.ts, line 276. There is a tslint-ignore comment directly above it to allow the use of it. It seems to be used exclusively to turn a JSON string into a JS string - for which JSON.parse would also work.

[menduz]

If that's the case, it should certainly work. Will try from the github UI hoping the CI is still working.

I didn't see the link from mobile, my bad

[menduz]

Update: It seems like eval is used to handle both "'" and '"' which are valid W3C-like eBNF. Thankfully the CI is responding

Do you have a fn that does that at hand? I'm juggling with various open fronts at the moment

[menduz]

Would you test if ebnf@1.9.1-20230608193331.commit-82e9a84 solves the issue?

[snoozbuster]

I can't really... I was consuming this package as a part of json-schema-library, which itself uses this package as part of json-query. But if the eval is gone that will definitely solve the underlying problem

[menduz]

Ok, will publish a patch. Tests are passing and are extensive

[snoozbuster]

Thanks! I'll see if I can get the downstream library I was trying to use to pick up the update.