CSP violation if 'unsafe-eval' not allowed

[dndrsn]

Expected Behavior

JavaScript eval not to be required.

Actual Behavior

CSP violation error if CSP is not set to allow unsafe-eval. This issue was introduced in version 10.9.0. Version 10.8.10 works as expected without any issue.

Possible Solution

Remove/refactor change introduced in version 10.9.0 which uses eval.

Steps to Reproduce

Create webpage with any CSP that does not allow unsafe-eval. Load page in browser.

This same issue occurred previously -- #1881

[bmerigan]

Yep, we are rolling back the version we use due to this.

[josephm0017]

We're also facing the same issue and it's severely impacting us.

• Are there any updates?
• Will it be resolved soon?

Can you please advise.

[bmerigan]

Tagging @veu to ensure developers are aware of this, not to be pushy but because there's no indication that this is known.
We're locked at 10.8.10 until this is resolved.

[axe312ger]

Our restructuring of the project and bundling will fix this. It will remove the eval which triggers the warning. An alpha version to test is coming soon!

Follow progress of the (massive) PR here: #2169

[mgoudy91]

If interested, we have an alpha release available as we prep for a full release.

https://www.npmjs.com/package/contentful/v/11.0.0-next.1 if you're interested in checking it out

[attalbialami]

@mgoudy91 Do you have any idea about the full release date ?

[tplante]

@mgoudy91 any news on v11 full release date? We're between a rock and a hard place because v10.8 uses an insecure version of axios, and 10.9+ carries this CSP issue.

[mgoudy91]

Hey @attalbialami and @tplante appreciate your patience and sorry for the delay. We're working on getting the full release out this week, I'll keep you updated in this channel when that's available

[mgoudy91]

Quick update, we're investigating an issue and will likely not have the update out this week, and think early next might be more accurate. This remains a high priority for us and will continue to update here.

[tplante]

@mgoudy91 what is the latest with the release?

[mgoudy91]

Hey @tplante, sorry the issue I mentioned ended up taking even more investigation than expected.

That being said, you should be able to grab https://www.npmjs.com/package/contentful/v/11.0.2 now!

I know this was a priority for you all so wanted to get it in your hands now as we get the docs and other artifacts up. Please let me/us know what issues you run into!

[tplante]

@mgoudy91 thank you so much! Saved the day.

[tplante]

@mgoudy91 actually I seem to have an issue with the new version, my jest runner says the package is using invalid js.

/node_modules/contentful/dist/esm/index.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,jest){export { createClient } from './contentful.js';
                                                                                      ^^^^^^

    SyntaxError: Unexpected token 'export'

Looks like the old package pointed to /dist/contentful.node.min.js, and the new one points to /dist/esm/index.js, which includes ecmascript. Any quick fix I can apply here?

[mgoudy91]

Shoot, sorry @tplante I'll take a look now

[mgoudy91]

@tplante in terms of 'quick' fixes, I think adding babel to your jest workflow is probably going to be the fastest, not sure how viable that is for your toolchain though.

In the interest of getting you a more holistic fix, are you able to provide more information about what your jest runner is doing, in terms of configuration or jest command you're running?

[tplante]

@mgoudy91 this issue has been down-prioritized by our team, thankfully I am no longer in a big hurry to fix this, but do need to eventually. We're using esbuild-jest as our transformer (same error occurs with the default babel-jest), like so:

// jest.config.ts
transform: {
  '^.+\\.(js|jsx|ts|tsx)$': 'esbuild-jest'
}

We have a contentful provider that isn't actually used in our test suite, but it is imported in a file that is parsed by the jest runner, so the error gets caught. Simply:

import { createClient } from 'contentful'

I can try to ignore this file in the runner, but seems odd I would have to do that as it's not necessary for any of our other dependencies (there are many). Seems there should be a common js export available in the package distribution.