0.1.0 • Published 9 months ago

@untra/dontinquire v0.1.0

Weekly downloads
-
License
MIT
Repository
github
Last release
9 months ago

dontinquire

an override replacement for @protobufjs/inquire

This is a project inspired by dry-uninstall to help prevent an unnecessary use of eval from a popular protobuf-javascript utility library @protobufjs/inquire

Why?

protobuf.js is a handy library for the generation of javascript and typescript serialization classes from protobuf files. Yay! It promises a minimal implementation that doesn't use eval for reflection capabilities. Yay! But it bundles an additional library inquire to optionally check for available and advanced javascript capabilities like long support. Boo! And it does this with a library that uses eval and a scheme to evade bundlers. Boo!

There have been many filed issues about this, none answered.

So heres the workaround: dont inquire.

Usage

add this overrides section to your package.json:

{
  "overrides": {
    "@protobufjs/inquire": "npm:@untra/dontinquire@0.1.0"
  }
}

This replaces the vulnerable optional library with one that returns null instead. Make sure the section is correctly overridden and updated in the package-lock.json:

How it works

npm overrides tells npm to use a different library.

protobufjsinquire
0.1.0

9 months ago

0.0.1

9 months ago