google-protobuf is old and not good with TypeScript and bundlers for the Web.
An alternative like protobug-es will help us shipping smaller package (see #1608).
But more annoying, the google-protobuf code relies on the evil eval() function:
The 3 eval() calls in your main chunk all come from google-protobuf's bundled Google Closure Library runtime, which ships inside @gomomento/generated-types-webtext (a dependency of @gomomento/sdk-web). Specifically:
- goog.useSafari10Workaround — uses eval() to detect a Safari 10 let scoping bug
- goog.loadModuleFromSource_ — uses eval(a) to load Closure modules from source strings
- goog.globalEval — uses goog.global.eval(p) as a general-purpose eval wrapper
These are all part of the Closure Library's module loading infrastructure that google-protobuf relies on. None of them are code you wrote or can patch — they're deep inside a minified third-party dependency.
That forces us to relax the Content Security Policy (CSP) with an unsafe-eval in the script-src directive, which make us missing the 100+ points in the Mozilla analyzer https://developer.mozilla.org/en-US/observatory/analyze. For financial apps, this is a bad signal.
google-protobufis old and not good with TypeScript and bundlers for the Web.An alternative like
protobug-eswill help us shipping smaller package (see #1608).But more annoying, the
google-protobufcode relies on the evileval()function:That forces us to relax the Content Security Policy (CSP) with an
unsafe-evalin thescript-srcdirective, which make us missing the 100+ points in the Mozilla analyzer https://developer.mozilla.org/en-US/observatory/analyze. For financial apps, this is a bad signal.