htmx icon indicating copy to clipboard operation
htmx copied to clipboard

Published 20 hours ago verified publisher icon bigskysoftware

Rollup warns that HTMX calls eval() which is unsafe

Open mattes3 opened this issue 1 year ago • 3 comments

Hey, thanks for making this fantastic library.

Just one thing: When I use Rollup to bundle HTMX, it gives me the following error message:

Use of eval in "../../../node_modules/htmx.org/dist/htmx.min.js" is 
strongly discouraged as it poses security risks and may cause
issues with minification.

Can eval() somehow be removed?

mattes3 avatar Jan 29 '24 16:01 mattes3

Hey, it depends on the context when X becomes dangerous.

A recent issue addressed it.

andryyy avatar Jan 29 '24 17:01 andryyy

What if the script compiles a safe version of htmx where all eval instructions are simply commented?

Then if you are using the allowEval false, you could import the safe version without warnings and knowing that no code could be executed by error with this library.

But maybe it is a very naive suggestion from not understanding the internals of htmx.

davidjr82 avatar Feb 20 '24 05:02 davidjr82

I think this could be a nice way to offer a solution for comments like this one: https://github.com/bigskysoftware/htmx/discussions/2112#discussioncomment-8193764

With which I somehow agree.

davidjr82 avatar Feb 20 '24 05:02 davidjr82