Comments (3)
okuryu
commented on June 2, 2024
As far as I know, you are the first person to use this on a non Node.js environment.
I'm not sure about v8js, but I think it should work if you use an older version like v2.x or v3.0.0.
from serialize-javascript.
alfredriesen
commented on June 2, 2024
If I remain on v3.0.0, then the Snyk audit does not pass.
Issues to fix by upgrading: Upgrade [email protected] to [email protected] to fix ✗ Arbitrary Code Injection (new) [High Severity][https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in [email protected] introduced by [email protected] and 1 other path(s)
I tried to update only minimist to v1.2.5 in yarn.lock . But Snyk continue reporting the vulnerable path. Do I have any other options?
from serialize-javascript.
alfredriesen
commented on June 2, 2024
As a workaround I implemented a bridge PHP - Javascript for this function "randomBytes":
On Javascript:
const crypto = {
randomBytes: function (val) {
let newBuffer = new Uint8Array (val)
let bytesNumbers = global.randomBytes(val) // refers to PHP $randomBytes
return newBuffer.map((number,index) => bytesNumbers[index])
},
}
On PHP:
$randomBytes = function (int $length) {
return array_map(function ($i) { return ord($i); }, str_split(random_bytes($length)));
};
Now I can update to v3.1.0
from serialize-javascript.
Related Issues (20)
- How to fix these vulnerabilities by manual review ? HOT 1
- Unable to resolve module `buffer` in react-native HOT 2
- Line returns added in serialized function when running through jest HOT 2
- Manually fixing vulnerabilitites
- Any plans to support circular structures? HOT 3
- key filter support?
- Bug when used an object with a function and a variable with a function and destructuring HOT 1
- BigInt not supported but it has been since v4 HOT 2
- Can't used in browser? HOT 3
- `Error` objects are serialized to `{}` HOT 4
- The regExp of IS_PURE_FUNCTION & IS_ARROW_FUNCTION seem to be extra???
- The published npm package contains `.vscode`
- BigInt `0n` Throws Error HOT 2
- Use Function Objects for deserialization, instead of eval
- Is it deterministic?
- Security vulnerability for non-HTTP URLs HOT 3
- error secure random number generation is not supported by this browser HOT 3
- Version 3.1.0 is not working in React-Native when is not in debugging mode or when is generating release HOT 7
- high severity vulnerability in package serialize-javascript HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serialize-javascript.