lottie-web icon indicating copy to clipboard operation
lottie-web copied to clipboard

Published 20 hours ago verified publisher icon airbnb

Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

Open Abdel-Monaam-Aouini opened this issue 2 years ago • 75 comments

Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

Abdel-Monaam-Aouini avatar Jan 30 '23 09:01 Abdel-Monaam-Aouini

This was flagged up in my Svelte build V3.

If this is not going to change, would be good to have an explanation as to why this is not considered a security risk.

wardourdigital avatar Feb 23 '23 14:02 wardourdigital

I am also getting this same in my Vite/Vue 3 build. Would love an explanation or a fix.

benjaminprojas avatar Apr 13 '23 18:04 benjaminprojas

I am also having this issue in a Vite/React build that is deploying to Netlify. Any help would be appreciated!

br-schneider avatar Apr 17 '23 18:04 br-schneider

Getting the same issue on vite build, when trying to run on Amplify -> Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

nik-1236789 avatar Apr 27 '23 06:04 nik-1236789

Hello everyone, Same issue.

image

ivkoandrv avatar Apr 27 '23 07:04 ivkoandrv

Hello everyone, Same issue with highlight.js/lib/languages/wren.js

Screenshot 2023-05-05 at 16 13 49

kvengerov avatar May 05 '23 13:05 kvengerov

Same issue with React/Vite4 build on local machine Screenshot 2023-05-16 at 2 49 24 PM

hassanmehdi98 avatar May 16 '23 10:05 hassanmehdi98

image

Abdel-Monaam-Aouini avatar May 16 '23 12:05 Abdel-Monaam-Aouini

I'm using the solution found here: https://github.com/airbnb/lottie-web/issues/289

Replacing import lottie from "lottie-web"; with import lottie from "lottie-web/build/player/lottie_light"; and using renderer: "svg", worked for me.

Edit: no I am not, the SVG renderer is acting weird.

GeorgeSA avatar Jun 15 '23 16:06 GeorgeSA

Hi don't know if it is relevant manage to change 'ExpressionManager.js' so you can pass a function instead of passing function in string, and run the function instead of eval, demo: https://stackblitz.com/edit/typescript-xm1gpw?file=lottie.ts

npm package with the change: @sentinel-one/lottie-web-no-eval

pr: https://github.com/airbnb/lottie-web/pull/2998/files#diff-5b04d0c8bca59b39ce8c6631676a283b79119d8e04872b1332d9f0127db51f57

yoni12ab avatar Jun 21 '23 16:06 yoni12ab

Any updates on this?

mat-jaworski avatar Oct 03 '23 00:10 mat-jaworski

I'm also interested in a solution to this.

zachrattner avatar Oct 13 '23 01:10 zachrattner

Fix this please.

aenzenith avatar Oct 13 '23 18:10 aenzenith

any updates??

kuzeofficial avatar Oct 20 '23 21:10 kuzeofficial

I am curious if @bodymovin or anyone else in the Airbnb/Lottie community could help shed some light on what's going on here.

Lottie is a great tool that enables some delightful animations that are dififcult for any other tool to match, but it looks like it's suffering from some serious neglect as of late. I'm frankly a bit discouraged by the 40+ open pull requests that have been sitting for months, some of them as simple as fixing a typo.

Are the maintainers interested in fixing this issue and it's just a matter of prioritization? Or have the maintainers moved on and even if a fix were to be available, no one would have the bandwidth to review and merge it?

I'm bringing this up as a B2B app with an obligation to review flagged security issues in my software bill of materials. To have an issue like this open for 10 months with no official word on what's going on is concerning.

I'm happy to help and do my part - I or someone on my team can look into reorganizing the code to not depend on eval, but I don't want to spend the time if it'll just result in one more on the stack of open PRs in this project.

zachrattner avatar Oct 20 '23 22:10 zachrattner

same issue here, any updates?

ericklarsen avatar Nov 20 '23 04:11 ericklarsen

up

fscaringi avatar Nov 28 '23 14:11 fscaringi

Same issue in my sveltekit app "svelte": "^3.54.0", "lottie-svelte": "^1.3.5"

Simo-CE avatar Nov 29 '23 15:11 Simo-CE

Looks like an active issue. bumping in for the updates

dextel2 avatar Dec 01 '23 05:12 dextel2

Same same

cthier-eb avatar Dec 02 '23 22:12 cthier-eb

Same for us - seems like a major security risk regarding 1.7m weekly downloads?!

roger-hermasch avatar Dec 07 '23 09:12 roger-hermasch

Same issue on Vite/React build that I am deploying to Netlify.

danlevison avatar Dec 07 '23 14:12 danlevison

Same:

node_modules/lottie-web/build/player/lottie.js (17010:32) Use of eval in "node_modules/lottie-web/build/player/lottie.js" is strongly discouraged as it poses security risks and may cause issues with minification.

using Quasar/Vue.js/Vite with vue3-lottie which depends on lottie-web version 5.12.2

54mu3l avatar Dec 15 '23 11:12 54mu3l

same issue on vite/vue-ts

amantiwari1 avatar Dec 26 '23 13:12 amantiwari1

Same issue

PainterPuppets avatar Jan 14 '24 02:01 PainterPuppets

Seeing the same issue here with a vite/react build

Screenshot 2024-01-16 at 11 54 40 AM

tawanaj avatar Jan 16 '24 17:01 tawanaj

Replacing the line in /build/player/lottie.js fixes it:

var expression_function = eval('[function _expression_function(){' + val + ';scoped_bm_rt=$bm_rt}]')[0]; with

var expression_function = (new Function('scoped_bm_rt', val + ';return $bm_rt;'))();

mchughbri avatar Jan 18 '24 12:01 mchughbri

Apparently the supported way to work around this is by importing directly from a Lottie-light file:

Replacing import lottie from "lottie-web"; with import lottie from "lottie-web/build/player/lottie_light"; and using renderer: "svg", worked for me.

jorisw avatar Feb 13 '24 15:02 jorisw

Same issue on vite build

SabiQG avatar Mar 11 '24 16:03 SabiQG

Haven't it been resolved yet

Sunny264 avatar Mar 26 '24 07:03 Sunny264