CSP Issue with downstream hapijs/joi dependency

[jshcrowthe]

It seems that the listed version of the hapijs/joi in your package.json has a downstream dependency with a CSP issue.

The Error being thrown is:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

The stack trace points to this function in the nested version of hapijs/isemail:
https://github.com/hapijs/isemail/blob/v1.2.0/lib/isemail.js#L155-L172

This fails CSP because of the string eval return at the end of the function.

This function (and from what I can tell, the CSP error) is removed in the next update of the library which was v2.0.0 of hapijs/isemail.

This major update was released in v7.0.0 of hapijs/joi (see commit here)

Full Disclosure: Haven't looked at all into how much work the major bump would be, or how many changes would be made on the node-jsonwebtoken side.

All that said, is a version update possible hapijs/joi?

[ziluvatar]

Currently we can not upgrade version without losing ES5 compatibility. We may do it for future major versions though. There are a couple of PRs asking for it.

[SimonSchick]

Wouldn't replacing joi with a few equivalent asserts solve this problem?

[ziluvatar]

Closing. JOI was replaced on v8.0.0