fix: Fix CSP eval violation and add a test to protect against future violations#32291
Merged
fix: Fix CSP eval violation and add a test to protect against future violations#32291
Conversation
Contributor
|
Size Change: +4.99 kB (+0.14%) Total Size: 3.66 MB
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
PR Summary
This PR addresses a Content Security Policy (CSP) violation caused by eval() usage in a third-party dependency, upgrading @microlink/react-json-view and implementing preventive measures.
- Added
frontend/bin/check-toolbar-csp-eval.mjsto detect potential CSP violations by scanning foreval(),Functionconstructors, and unsafe timer patterns - Updated
@microlink/react-json-viewfrom v1.21.3 to v1.26.2 to resolve CSP violation - Added new CI step in
.github/workflows/ci-frontend.ymlto run CSP violation checks - Added
@babel/parserand@babel/traverseas dev dependencies for AST parsing
3 file(s) reviewed, 2 comment(s)
Edit PR Review Bot Settings | Greptile
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Contributor
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
Contributor
📸 UI snapshots have been updated1 snapshot changes in total. 0 added, 1 modified, 0 deleted:
Triggered by this commit. |
robbie-c
requested review from
a team,
jabahamondes,
lricoy and
pauldambra
and removed request for
a team
lricoy
approved these changes
May 17, 2025
| # we only care if the toolbar will increase a lot | ||
| minimum-change-threshold: 1000 | ||
|
|
||
| - name: Check toolbar for CSP eval violations |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
👉 Stay up-to-date with PostHog coding conventions for a smoother review.
Problem
We accidentally broke people's CSP rules with a 3rd party library where were webpack was including an
eval()It'd be good to fix this! I made a PR in the library, and the maintainer was super-responsive. microlinkhq/react-json-view#77
Changes
Let's bump the dependency and add a script to protect against this kind of thing in the future
Does this work well for both Cloud and self-hosted?
Yes
How did you test this code?
The script fails with the old dep, passes with the new