Skip to content

osmtogeojson 3.0.0-beta.5 fails in restricted sandbox environments (Figma plugins) due to lodash's __core-js_shared__ dependency #148

New issue
New issue
Open
Open
osmtogeojson 3.0.0-beta.5 fails in restricted sandbox environments (Figma plugins) due to lodash's __core-js_shared__ dependency#148
@akre54

Description

@akre54
akre54
opened on Jan 7, 2026

Summary

Version 3.0.0-beta.5 of osmtogeojson cannot run in restrictive JavaScript sandbox environments like Figma plugins due to the bundled lodash attempting to access and assign to window.__core-js_shared__.

Environment

  • osmtogeojson version: 3.0.0-beta.5

  • Runtime environment: Figma Plugin sandbox

  • Bundler: esbuild

Steps to Reproduce

  1. Install osmtogeojson 3.0.0-beta.5 in a Figma plugin project

  2. Import and use osmtogeojson in the plugin backend code

  3. Bundle with esbuild

  4. Load the plugin in Figma

Expected Behavior

The library should work in restricted sandbox environments that don't allow assignment to properties with double underscores or other restricted property names.

Actual Behavior

The plugin fails to load with the following errors:

TypeError: Cannot read properties of undefined (reading '__core-js_shared__')
      at node_modules/osmtogeojson/lodash.custom.js

And when attempting to polyfill:

Syntax error: Invalid left-hand side in assignment
      root.__core-js_shared__ = {};

Root Cause

The bundled lodash.custom.js in the beta version attempts to access/create window.__core-js_shared__, which:

  1. May not exist in all environments

  2. Cannot be assigned in restrictive sandboxes that prohibit certain property names

Workaround

Downgrading to version 2.2.12 resolves the issue, as this version doesn't have the problematic lodash dependency.

"osmtogeojson": "2.2.12"

Request

  • Could the lodash bundling approach be reconsidered for the 3.0 stable release?

  • Consider using a lodash build that doesn't rely on core-js internals, or include only the specific lodash functions needed

  • Alternatively, document which environments are supported/unsupported in 3.0

Additional Context

Figma's plugin sandbox is particularly restrictive, but other sandboxed JavaScript environments (Content Security Policy restricted contexts, WebAssembly System Interface, etc.) may face similar issues.

The beta has been available since 2018 - are there plans to release a stable 3.0 that addresses these compatibility issues? I'm assuming no but leaving this up for others in case they stumble upon this

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions