In GRPC-node 1.11.3:
var log_template = _.template(
'{severity} {timestamp}\t{file}:{line}]\t{message}',
{interpolate: /{([\s\S]+?)}/g});
The use of lodash's _.template function requires eval in a production environment. It seems kind of needless that this function is used here for something as mundane as logging, given the security implications. Is it avoidable?
It is most certainty avoidable, yes. Thanks for bringing this to our attention.
Thanks very much for your reply @nicolasnoble. I'm glad to hear this won't require any serious rewrites to remedy.
Is there any chance this fix, when implemented, will be backported to [email protected]? Google's Firebase relys on 1.11.3 and I'm not sure if/when they plan to change their dependency, but I know they're pushing this version on all users of their Firebase-js-sdk
Backporting to such an old release seems unlikely, but we'll discuss it on Monday.
I figured, but given the circumstances of Google depending on it for something as widely used as Firebase, I thought it might be worth backporting. Thanks again!
[email protected] has been published containing this fix. Firebase will work on updating to this version now.