vue3-charts icon indicating copy to clipboard operation
vue3-charts copied to clipboard

Published 20 hours ago verified publisher icon ghalex

noUse of eval is strongly discouraged

Open wilberforce opened this issue 3 years ago • 3 comments

Thanks for a great package!

On build I get noUse of eval is strongly discouraged, as it poses security risks and may cause issues with minification

https://github.com/ghalex/vue3-charts/blob/dc07846bbcc4b1d293dbd1bec42af240f2187e89/src/models/Scale.ts#L96-L103

Can't this be re-written without eval ?

wilberforce avatar Apr 23 '22 22:04 wilberforce

Hi @wilberforce,

The idea of eval here is to allow the ability to write dynamic domain like:

['dataMin * 2', 'dataMax * 4 + 100']

I don't see how this can be done without eval but if you have any ideas they are welcome.

Thanks, Alexandru

ghalex avatar Apr 26 '22 07:04 ghalex

Hi, untested - however this will do it I think!

const [dataMin, dataMax] = extent(Array.from(new Set(values.concat([valueMin || 0, valueMax || 0]))))
  function yMin() { return `${domain[0]}` }
  function yMax () { return `${domain[1]}` }
  return [yMin(), yMax()]

wilberforce avatar Apr 26 '22 21:04 wilberforce

Hi Alexandru (@ghalex),

how about allowing functions (DataExtent) => AxisRange directly instead of string for evaluation?

i.e. replacing this ['dataMin * 2', 'dataMax * 4 + 100'] with this ([dataMin, dataMax]) => [dataMin*2, dataMax*4 + 100]

if user supplies [constant, constant] instead of functions, it will work as before.

The complete working proposal is here is here: https://github.com/psykora/vue3-charts/commit/880cbcf3e9bdadabf5c087fc40e317aa35e05fc9

It is a breaking change though.

Thanks, Peter.

psykora avatar Jan 02 '23 17:01 psykora