Flagsmith / flagsmith-js-client

Hello. My company is considering using Flagsmith. When I was reviewing the source code I found a few issues. (1) there are lots of ts-ignore comments which is worrysome. (2) There is a copy and paste of EventJS in there.

flagsmith-js-client/react/index.tsx

Line 12 in 4123df0

    
           function Eventjs(){"use strict";var e={};var r=this;for(var t=0;t<arguments.length;t++){var n=arguments[t];switch(typeof n){case"string":e[n]=[];break;case"object":r=n;break;default:throw new TypeError("Eventjs() only accepts string and object parameters");break}}if(r===this&&!(this instanceof Eventjs)){throw new ReferenceError('Eventjs is not called with "new" keyword and no parameter of type object is passed to it')}function s(r){"use strict";if(typeof r!=="string"||!e[r]){throw new ReferenceError("The event name does not exist in this event manager: "+r)}return true}r.on=function(r){"use strict";s(r);for(var t=1;t<arguments.length;t++){var n=arguments[t];if(e[r].indexOf(n)===-1){e[r].push(n)}}return this};r.off=function(t){"use strict";switch(arguments.length){case 0:for(var n in e){if(e.hasOwnProperty(n)){r.off(n)}}break;case 1:s(t);e[t].length=0;break;default:s(t);for(var a=1;a<arguments.length;a++){var i=arguments[a];var o=e[t].indexOf(i);if(o!==-1){e[t].splice(o,1)}}break}return this};r.trigger=function(t){"use strict";s(t);var n=[];for(var a=1;a<arguments.length;a++){n.push(arguments[a])}var i=e[t];var o=[];for(var f=0;f<i.length;f++){var u=i[f];try{u.apply(r,n)}catch(c){o.push({listener:u,error:c})}}if(o.length>0){throw o}return this};return r}

The negatives of the current approach include:

this library no longer gets the free updates from the EventJS library so we don't get their performance improvements.
this library no longer gets the free updates from the EventJS library so we don't get their security enhancements.
the type information is broken due to that line I linked above.

Hey @dgreene1 thanks for this. Happy to take a PR or we can look at this ourselves over the next few days.

@dabeeeenster if I was confident that our company was considering this product over the competition I would make a PR. But we’re not there yet. And the findings actually were rather disturbing to see. Like it’s clearly a copy and paste of the minified version of a public library and I can’t understand how that’s acceptable for a paid offering. Since I can’t reverse engineer that minified code to determine which library was used, the Flagsmith staff will have to make this PR.

Hi, thanks for raising your concern.

The event library in question is a very small, simple bit of code responsible for triggering an event and the reason for bundling into our application was because the library did not have ES module support but did exactly what we needed. In regards to particular points:

this library no longer gets the free updates from the EventJS library so we don't get their performance improvements.
this library no longer gets the free updates from the EventJS library so we don't get their security enhancements.

This is quite unlikely the library hasn't been published in 4 years and was only ever published 4 times, probably due to its simplicity.

The type information is broken due to that line I linked above.
No, since the event library does not support TypeScript.

Since this has been brought to my attention, however, I've gone to the effort of bringing this library up to speed as well as improving the community's TypeScript support. #133

The type information is broken due to that line I linked above.

No, since the event library does not support TypeScript.

That’s a bummer since there are many event libraries that are tiny and have types internally or in DefinitelyTyped. I can’t recall which of these I used in my last library, but the top 4 likely do have types due to their popularity: https://npmtrends.com/event-emitter-vs-event-trigger-vs-eventemitter2-vs-eventemitter3-vs-events-vs-pubsub-js-vs-tiny-emitter

the reason for bundling into our application was because the library did not have ES module support

There shouldn’t be a problem with CommonJS imports if you use this flag: https://www.typescriptlang.org/tsconfig#esModuleInterop

this library no longer gets the free updates from the EventJS library so we don't get their security enhancements.

What I mean by that is that you won’t get Dependabot security alerts for https://www.npmjs.com/package/event-trigger because Github has know way of knowing that you use that library due to it not being in you package-lock.json. So if there is a security exploit in https://github.com/zoli-fischer/event-trigger then you won’t get informed.

That being said, I think #133 is a great contribution and makes me feel more comfortable giving Flagsmith the go-ahead to be one of the libraries that our company considers. Thank you. :)

That’s a bummer since there are many event libraries that are tiny and have types internally or in DefinitelyTyped. I can’t recall which of these I used in my last library, but the top 4 likely do have types due to their popularity: https://npmtrends.com/event-emitter-vs-event-trigger-vs-eventemitter2-vs-eventemitter3-vs-events-vs-pubsub-js-vs-tiny-emitter

I'll take a look at the event emitters you linked, my main goal for it would be keeping the bundle size low, a few I looked at previously were doing more than we needed.

There shouldn’t be a problem with CommonJS imports if you use this flag:

Thanks for that I'll try it out for my own curiosity, similarly to the comment on Dependabot, I still think the most positive way forward will be to continue with the PR or get an equally small typed replacement.

Thanks for the kind words RE #133, I'll likely be tidying this up / publishing today.

This is now released as of flagsmith, flagsmith-es and react-native-flagsmith 3.6.0

non-standard import of EventJS