an override replacement for @protobufjs/inquire
This is a project inspired by dry-uninstall to help prevent an unnecessary use of eval from a popular protobuf-javascript utility library [@protobufjs/inquire]
[protobuf.js] is a handy library for the generation of javascript and typescript serialization classes from protobuf files. Yay!
It promises a minimal implementation that doesn't use eval for reflection capabilities. Yay!
But it bundles an additional library inquire to optionally check for available and advanced javascript capabilities like long support. Boo!
And it does this with a library that uses eval and a scheme to evade bundlers. Boo!
There have been many filed issues about this, none answered.
So heres the workaround: dont inquire.
add this overrides section to your package.json:
{
"overrides": {
"@protobufjs/inquire": "npm:@untra/[email protected]"
}
}
This replaces the vulnerable optional library with one that returns null instead. Make sure the section is correctly overridden and updated in the package-lock.json:
"node_modules/@protobufjs/inquire": {
"name": "@untra/dontinquire",
"version": "0.1.0",
"resolved": "https://registry.npmjs.org/@untra/dontinquire/-/dontinquire-0.1.0.tgz",
"integrity": "sha512-vNXxof1p2H69TB8XrZc6uxSEi8O6gyKN+Xel7Alfs/GsWGeaUsSXMwAETZzEMDYGSIfb2EZC+5wYcr6AA8H8qw=="
},
npm overrides tells npm to use a different library.