Add an option to disable the compiled reader

[huw]

Hey there, I’ve been using cbor-x in Cloudflare Workers quite successfully for a while now, but ran into a niche error when trying to do some bulk work:

EvalError: Code generation from strings disallowed for this context
    at new Function (<anonymous>)

The Workers runtime spits this out because it disables the use of eval() and new Function(source) to avoid security issues.

I’ve patched the package locally (just removing the whole if (this.slowReads++ >= 3) block here, but it would be nice to have an option in the package that disables that code path (I also noticed another potential user was concerned about the security of it while researching this issue). I’m more than happy to eat the reduced performance.

[kriszyp]

@huw That actually already exists, its available in cbor-x/dist/index-no-eval.cjs (and decode-only variant as well).

I suppose you might run into problems importing, I should probably add those to the exports of the cbor-x package as well.

[huw]

Ah--that's embarrassing! I should've read through the docs a bit more thoroughly.

Thanks for adding the variants though, that should make things a bit easier :) (no compilation issues on my side though)

[Aenigma]

Hi, sorry to revive this but I had trouble using cbor-x in Cloudflare Workers, as well, and stumbled upon this issue. After importing cbor-x/dist/index-no-eval all that really came from that is that I would get a:

(error) ReferenceError: BlockedFunction is not defined

I'm not really sure what I'm doing wrong here. Additionally, the no-eval variants seem to not work at all work with TypeScript.

@huw's workaround worked fine for me. however, I'd rather not be in the habit of modifying node_modules if I can help it.