ajv icon indicating copy to clipboard operation
ajv copied to clipboard
verified publisher icon ajv-validator

Allow it to work on edge (e.g. cloudflare workers)

Open ValeryG opened this issue 1 year ago • 6 comments

There is already an issue for this , https://github.com/ajv-validator/ajv/issues/2318, but it is closed. Suggestion there is not working when ajv is XX-layers down like eg: async-parser -> @stoplight/spectral->ajv and dynamic schema is validated, there is not visible to generate and pass validation function all the way down.

The version of Ajv you are using latest

The environment you have the problem with cloudflare worker

Your code (please make it as small as possible to reproduce the issue) standard example from async-parser Example

Works in every browser and node env, except of cloudflare worker.

Results and error messages in your platform

 Code generation from strings disallowed for this context

      at new Function (<anonymous>)
      at m.f

If there is no way to drop new Function usage in general, maybe it could be made conditional? let's say if option.workerSafe is passed as true, do something worker safe instead of new function?

ValeryG avatar Aug 22 '24 17:08 ValeryG

I see, so the use of AJV within other projects preclude those projects from being used in cloudflare. I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare? It won't always be possible but not out of the question depending on the usage.

I say this because given how AJV works I can't think of a way to avoid using new Function. Also worth noting, just in case it was a concern, that while new Function is considered unsafe and not allowed on cloudflare, the way that AJV uses it is very safe and has been verified by many experts. Anything passed to new Function has had to go through the typesafe codegen package which protects against any injection attacks etc.

Anyway, I am open to ideas but afaik we couldn't stop using new Function.

jasoniangreen avatar Aug 24 '24 21:08 jasoniangreen

I wonder if it would be possible for those projects to pre-build any schema based validations functions so that their code can be run on cloudflare?

No, since the source files are fetched at runtime, there’s bo way to pre-build.

adamdehaven avatar Aug 24 '24 22:08 adamdehaven

I see. Well I will leave this open. If anyone has any ideas on how to work around this or any proposals, we can discuss it.

jasoniangreen avatar Sep 02 '24 20:09 jasoniangreen

As Cloudflare doesn't allow eval or new Function for security reasons, it may someday support ShadowRealm API if it gets approved by TC39 (it's currently in Stage 2.7 and Bun already supported it). At that time ajv should be able to migrate to the new API to make it work on edge runtimes.

Justineo avatar Sep 11 '24 15:09 Justineo

Thanks for the info @Justineo, I will keep an eye out for that.

jasoniangreen avatar Sep 28 '24 10:09 jasoniangreen

is there anyway to workaround this and make Ajv run on edge just for now?

ama-coder avatar Feb 28 '25 20:02 ama-coder

BTW there's a workaround for this: https://developers.cloudflare.com/workers/configuration/compatibility-flags/#enable-eval-during-startup

As long as you only compile during script startup, AJV is functional on Cloudflare Workers.

cmsparks avatar Jan 05 '26 19:01 cmsparks