Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rollup.js complains about the use of eval in one of keycloak.js's dependencies

See original GitHub issue

Describe the bug

When performing a build with Rollup of a project containing keycloak-js, you get the following message: Use of eval is strongly discouraged, as it poses security risks and may cause issues with minification.

eval is used in the library js-sha256 which is a dependency of keycloak.js. There are numerous issues that have been opened about this, some open (like this), some closed without resolution. There have been no updates to the package since 2017.

Is there an alternative that keycloak-js can use instead?

Version

17.0.0

Expected behavior

Rollup can do a build without an eval warning.

Actual behavior

No response

How to Reproduce?

I actually use Vite, which uses Rollup.js under the hood for production builds. So either you can install Rollup, import keycloak-js and build, or in a Vite project import keycloak-js and run npm run build.

Anything else?

No response

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

jonkoopscommented, Oct 27, 2022

You can use another client compatible with OpenID Connect, I’ve head people having success with oidc-client-ts. Keycloak JS is overdue for a good re-write, but we currently have more important things to work on so it’s been on the back-burner.

0reactions

schmidtkcommented, Oct 27, 2022

@juhoha Have you had success with your workaround in a production build? In a production build I’m getting an actual error:

ReferenceError: require is not defined in ES module scope, you can use import instead
This file is being treated as an ES module because it has a '.js' file extension and '/usr/src/app/package.json' contains "type": "module". To treat it as a CommonJS script, rename it to use the '.cjs' file extension.
    at eval (eval at nodeWrap (file:///usr/src/app/server/chunks/index4-520a3e48.js:243:19), <anonymous>:1:1)
    at nodeWrap (file:///usr/src/app/server/chunks/index4-520a3e48.js:243:19)
    ...

I can work around this by either ensuring the package isn’t included in server code, or by replacing js-sha256 entirely and using npm workspaces to make sure my local version of it is linked during npm install.

Both of these are ugly, and I think an ideal solution would be replacing this package in keycloak-js given it’s no longer supported and native replacements are present. I understand this is a breaking API change, but long term would be for the best.

Top Results From Across the Web

Rollupjs build complains about the use of eval in this library. #18

Rollup.js complains about the use of eval in one of keycloak.js's ... Using js-sha256 as a dependency causes eval warnings when using rollup ......

webpack imported module is not a constructor - Stack Overflow

The first example without curly braces is called the "default export" where the entire exported library is available through the Foo variable ( ......

rollup使用过程中遇到的各种问题 - BALABALA

That's more efficient, but it means that the shared scope is 'polluted' whenever you use eval , whereas with a different bundler, modules...

Untitled

README 389-ds-base-git.sh 389-ds-base.spec jemalloc-5.2.1.tar.bz2 0001-Issue-4884-server-crashes-when-dnaInterval-attribute.patch ...

vocab.txt - Hugging Face

＋，－／ 1 2 3 4 ：；＜＝＞？＾＿｀ a b c d e g...