lottie-react icon indicating copy to clipboard operation
lottie-react copied to clipboard
verified publisher icon LottieFiles

Issue: Use of `eval` in lottie.js

Open adeoyewole028 opened this issue 10 months ago • 6 comments

Hello, I noticed that eval is used in the lottie-web library (specifically in node_modules/lottie-web/build/player/lottie.js). This is flagged as a security risk and can cause issues with minification. Are there any plans to replace eval with a safer alternative?

Thanks!

adeoyewole028 avatar Mar 12 '25 15:03 adeoyewole028

hello @adeoyewole028 you could switch to the dotlottie player, it doesnt use eval and can render .lottie / .json / .lot files :)

samuelOsborne avatar Mar 12 '25 17:03 samuelOsborne

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

github-actions[bot] avatar May 12 '25 02:05 github-actions[bot]

@samuelOsborne that package has a massive payload increase.

cgatian avatar Jun 12 '25 18:06 cgatian

hello @adeoyewole028 you could switch to the dotlottie player, it doesnt use eval and can render .lottie / .json / .lot files :)

i used dotlottie-web also and getting wasm streaming compile failed: CompileError: WebAssembly.instantiateStreaming(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-NONCE_PLACEHOLDER'

ashishyash avatar Jun 19 '25 14:06 ashishyash

Having the same issue

GuillaumeMunsch avatar Aug 12 '25 15:08 GuillaumeMunsch

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

github-actions[bot] avatar Oct 12 '25 02:10 github-actions[bot]