Request to Remove or Address unsafe-eval Usage in Yoga Layout

[buzzo123]

Hi Yoga Layout Team,

I am currently using @react-pdf/renderer (version ^4.1.5) in my project, which depends on yoga-layout. During development, I've encountered issues related to the usage of unsafe-eval within yoga-layout.

Problem

The inclusion of unsafe-eval poses significant security risks and violates stricter Content Security Policies (CSPs), which are becoming increasingly common in modern web applications. This makes it challenging to use yoga-layout in secure environments without relaxing CSP rules, which isn't always an acceptable solution.

Steps to Reproduce

1. Integrate @react-pdf/renderer (which uses yoga-layout) into a project.
2. Implement a CSP policy that disallows unsafe-eval.
3. Observe the resulting errors when attempting to use yoga-layout.

Let me know if additional details, examples, or assistance with refactoring would be helpful. Thank you for all the effort you’ve put into maintaining this essential library!

Best regards,
Michele

[NickGerleman]

I didn’t look closely at this, but it seems to come from Emscripten (possibly embind), so bindings would need to change.

[guillaumeduboc]

I have the same issue and it would be amazing to see it resolved !
I found this issue regarding unsafe-eval and embind emscripten-core/emscripten#20994. It might be interesting

[NickGerleman]

“DYNAMIC_EXECUTION=0” may depend on moving from “embind” usage to direct calls (which last I looked should theoretically be pretty doable given we already have a stable C API).

Would also be a big performance win.

See #1545 and #1507

[guillaumeduboc]

I looked quickly into it and it seems there are no call to eval and DYNAMIC_EXECUTION=0 is used in https://github.com/facebook/yoga/blob/main/javascript/CMakeLists.txt#L39

The unsafe-eval is raised by WebAssembly.instantiate so there is no getting around it I guess
For now the only way of running WebAssembly with CSPs is to use wasm-unsafe-eval since hashes are not supported