I have an app using react three fiber, which depends on three.js and consequently on three-stdlib.
I'm auditing security and finding this issue in lottie-web, which is not maintained for a while, and this issue is not fixes even if there is a bunch of PR's from community. airbnb/lottie-web#2927
I've created an issue in three.js
mrdoob/three.js#29572
but was redirected to this repo.
Please get rid of lottie-web for next version release. using eval is very bad security issue.