React-jsonschema-form: Request: Provide option to drop in alternate validator
Prerequisites
- [x] I have read the documentation;
- [x] In the case of a bug report, I understand that providing a SSCCE example is tremendously useful to the maintainers.
Description
We currently have a content security policy set up that doesn't allow for unsafe-eval or the use of the function constructor. In one of the most recent updates, jsonschema was replaced with ajv.
Ajv uses the function constructor while json schema does not. I currently have prevented upgrading past v0.51.0. Ajv's response to this is to precompile schemas which isn't quite useful since I would like to provide a form editor.
I'd like to be able to drop ajv in favor of json-schema or some other validation module, without necessarily being stuck in time.
Steps to Reproduce
https://github.com/epoberezkin/ajv/blob/master/lib/compile/index.js#L118 is where the function constructor is run.
Version
0.51.0 uses json-schema
^0.52.0 uses ajv
sportnak
All 7 comments
I must say that I wish a little more time had been invested on the decision to swap out the validation library. Our group is spending time updating our code due to subtle changes/issues in validation due to the switch to the ajv library. Major changes to subsystems like this really need more scrutiny/testing in the future as each dependent library (jsonschema, ajv, etc...) comes with it's own inherent quirks/issues.
manahga
on 24 Jan 2018
There is a pending pull request that might interest you regarding to the AJV .
https://github.com/mozilla-services/react-jsonschema-form/pull/794
doncesarts
on 2 Feb 2018
@sportnak hmm, that might be hard to do, given that a lot of our error code and other functionality we support (custom meta schemas, custom formates, etc.) is now ajv-specific. Do you have an idea of how supporting alternate validators would work?
epicfaace
on 17 Mar 2019
@epicfaace I know this is an older issue but our team has also recently ran into this when adopting
react-jsonschema-form into our production environment.
It seems like ajv is here to stay given the progress that's been made since this issue was originally created.
Are there alternatives to precompile schemas that we can use w/o introducing unsafe-eval in our CSP? I curious to know what other production adoptions have been doing I imagine adding unsafe-eval would be an uncommon setup for most companies.
sleiyer
on 17 Apr 2020
my team ended up forking react-jsonschema-form and swapping out ajv for jsonschema for validation. solved our CSP problem, but was a real pain to do and will continue to be a pain to maintain. would be awesome if that was just an option in this library.
megantaylor
on 1 May 2020
@megantaylor I think the main sticking point is that jsonschema and ajv have different formats of errors. If we could come up with a common structure for errors that both AJV and jsonschema errors could be converted to, then we should be able to use either ajv / jsonschema for validation. Do you think you might be able to help with that?
epicfaace
on 1 May 2020
i would be interested in working on that, but right now i'm juggling too much already. 馃槥
megantaylor
on 5 May 2020
Related issues
epicfaace
路
3Comments
mfulton26
路
3Comments
pablen
路
3Comments
mfulton26
路
3Comments
sstarrAtmeta
路
3Comments
Most helpful comment
@epicfaace I know this is an older issue but our team has also recently ran into this when adopting
react-jsonschema-forminto our production environment.It seems like
ajvis here to stay given the progress that's been made since this issue was originally created.Are there alternatives to precompile schemas that we can use w/o introducing
unsafe-evalin our CSP? I curious to know what other production adoptions have been doing I imagine addingunsafe-evalwould be an uncommon setup for most companies.