Transform which ran with v1 not working with v3 #48
Comments
|
i'll have a look at this tomorrow. the big change in v3 was that unknown uses of a module are now kept, instead of removed (risking runtime errors). but v3 also added scope tracking which was a fairly large refactor that may have broken some stuff!
|
|
the new static-eval doesn't support function expressions like the cwise({
body: () => {}
})I think because of this patch browserify/static-eval#18 static-module has a special case for function arguments as callbacks: readFile('xyz', function () {})but not for object expressions. It might be a bit harder to do the same for those :/ A possible solution may be to have a static-module option or a method like |
|
@goto-bus-stop possibly any update on this? |
|
no, i forgot about it 😄 i'll aim to work on this on Friday. a PR would be welcome as well of course. I think the way to go here is to change the current code to pass in ASTs, which can be exposed as |
|
Many thanks @goto-bus-stop. |
|
@goto-bus-stop My apologies for asking one more time. |
|
The refactor is a bit trickier than I anticipated, and I haven't had the time to make it work yet unfortunately :( |
|
Hi @goto-bus-stop , i was wondering if you could refactor it? |
|
Hey @goto-bus-stop, thanks for working on fixing the issues with cwise and static-module. I have a professional interest in seeing cwise get upgraded past its security issues. Currently at my company, cwise's security issues are a blocker for all of the (way upstream) Jupyterlab Plotly extensions, which all depend on cwise through numerous dependency chains. If you're still interested in working on this fix, I'd be more than glad to pitch in some of my time to help. Is your work so far on the refactor publicly viewable anywhere? |
|
@telamonian I think I tried a few approaches but none of them worked out so I discarded them. For now @archmoj's approach where we just add an option to opt back into the unsafe behaviour is likely best—it's only insecure if you use it on untrusted code anyway… |
|
#56 updates to the static-eval with @archmoj's fix but I'm not sure if it's enough. I tried using that branch in my local cwise clone and passing |
@goto-bus-stop thanks for the follow ups. It works. And with cwise transform option there is no unused parser in the bundle. |
|
@goto-bus-stop update: you are right. There is still that parser problem. |
|
hm, static-eval might be bailing out somewhere else as well then :/ |
|
Please note that the static-module/static-eval bump issue was addressed in plotly.js v1.54.4 by not using |
Hooray! |
Hi! cwise has had some long-running issues/PRs to upgrade its usage of static-module and get rid of some security warnings, but it seems that the particular usage static-module is no longer functioning under static-module 3.*.
The cwise transform finds references to
var cwise = require('cwise'); cwise({...})and replaces them with evaluated code.I'm guessing a bit, but it seems like maybe the usage as a bare function require as opposed to properties on the require (i.e.
require('cwise')(...)as opposed torequire('fs).readFileSync(...)) are not working.FWIW, the transform has not changed and so does still function and get triggered correctly.
I've detailed a test case here.
Glad to debug a bit further, but I'd thought I'd check to see if this might just need a small API usage update instead of involved debugging. Thanks!
/cc @archmoj @etpinard
The text was updated successfully, but these errors were encountered: