Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
better-eval
Advanced tools
Readme
eval()
in JavaScript that is customizable and safer!The eval function sucks, lacking any form of security and customizability. Other implementations are inadequate - ranging from being abandonded to overcomplicated. better-eval offers a solution, providing a modern alternative to the eval function with all the bells and whistles out of the box.
npm install better-eval
First, import the package:
const betterEval = require("better-eval");
Then call the function with something you want to be evaluated:
betterEval("1+1"); // returns 2
And its as simple as that! Any code will not be able to access variables you define unless explicitly passed.
Include any variables as part of an object which you pass in as the second parameter:
const name = "Sam";
betterEval("`Hey ${name}`", { name }); // returns 'Hey Sam'
You can also pass functions as a part of the second parameter, and evaluate them in your code:
const returnName = () => "Bob";
betterEval("`Hey ${returnName()}`", { returnName }); // returns 'Hey Bob'
For your safety, any of these global variables on the blacklist will not be added to your variables:
global
process
module
require
document
window
Window
eval
Function
Here is how they will be handled:
betterEval("`Sum is ${eval('1+1')}`", { eval }); // eval is null!
Remember: never use better-eval blindly with user code. These checks are precautions for your own usage, but any user with maltious intent could find a way to get through them. Thus, use this package with caution.
If you want to have more control over the VM that runs your code, you can pass in an vmOptions
parameter:
betterEval(
"1+1", {},
{
fileName: "counting",
lineOffset: 1,
}
);
A complete list of options can be found here.
better-eval is MIT-licensed open-source software created by Bharadwaj Duggaraju.
FAQs
🔧 An alternative to the 'eval' function in JavaScript that is faster, easier/better to use, and has less security issues.
The npm package better-eval receives a total of 18,940 weekly downloads. As such, better-eval popularity was classified as popular.
We found that better-eval demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.