constantinople - npm Package Compare versions

Comparing version 2.0.1 to 3.0.0

index.js

 'use strict'
 
-var uglify = require('uglify-js')
+var detect = require('acorn-globals');
 
-var lastSRC = '(null)'
-var lastRes = true
+var lastSRC = '(null)';
+var lastRes = true;
 var lastConstants = undefined;
 
-module.exports = isConstant
+module.exports = isConstant;
 function isConstant(src, constants) {
-  src = '(' + src + ')'
-  if (lastSRC === src && lastConstants === constants) return lastRes
-  lastSRC = src
+  src = '(' + src + ')';
+  if (lastSRC === src && lastConstants === constants) return lastRes;
+  lastSRC = src;
+  lastConstants = constants;
   try {
+    Function('return (' + src + ')');
     return lastRes = (detect(src).filter(function (key) {
-      return !constants || !(key in constants)
-    }).length === 0)
+      return !constants || !(key.name in constants);
+    }).length === 0);
   } catch (ex) {
-    return lastRes = false
+    return lastRes = false;
   }
 }
-isConstant.isConstant = isConstant
+isConstant.isConstant = isConstant;
 
-isConstant.toConstant = toConstant
+isConstant.toConstant = toConstant;
 function toConstant(src, constants) {
-  if (!isConstant(src, constants)) throw new Error(JSON.stringify(src) + ' is not constant.')
+  if (!isConstant(src, constants)) throw new Error(JSON.stringify(src) + ' is not constant.');
   return Function(Object.keys(constants || {}).join(','), 'return (' + src + ')').apply(null, Object.keys(constants || {}).map(function (key) {
@@ -31,25 +33,1 @@ return constants[key];
 }
-
-function detect(src) {
-  var ast = uglify.parse(src.toString())
-  ast.figure_out_scope()
-  var globals = ast.globals
-    .map(function (node, name) {
-      return name
-    })
-  
-  // Walk the AST tree in search for `this`
-  // Add a fake "this" global when found
-  var has_this = false;
-  var walker = new uglify.TreeWalker(function(node) {
-    if (node instanceof uglify.AST_This) {
-      has_this = true;
-    }
-  });
-  ast.walk(walker);
-  if (has_this) {
-    globals.push('this')
-  }
-  
-  return globals
-}

package.json

 {
   "name": "constantinople",
-  "version": "2.0.1",
+  "version": "3.0.0",
   "description": "Determine whether a JavaScript expression evaluates to a constant (using UglifyJS)",
   "keywords": [],
   "dependencies": {
-    "uglify-js": "~2.4.0"
+    "acorn-globals": "^1.0.0"
   },
@@ -9,0 +9,0 @@ "devDependencies": {

README.md

@@ -7,3 +7,3 @@ # constantinople
 [![Dependency Status](https://img.shields.io/gemnasium/ForbesLindesay/constantinople.svg)](https://gemnasium.com/ForbesLindesay/constantinople)
-[![NPM version](https://img.shields.io/npm/v/constantinople.svg)](http://badge.fury.io/js/constantinople)
+[![NPM version](https://img.shields.io/npm/v/constantinople.svg)](https://www.npmjs.org/package/constantinople)
 
@@ -43,2 +43,2 @@ ## Installation
 
-  MIT
+  MIT

New alerts

Uses eval

Supply chain risk

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Improved metrics

Number of lines in readme file

43

increased by2.38%

Worsened metrics

Total package byte prevSize

7212

decreased by-5.63%

Lines of code

84

decreased by-18.45%

Number of medium supply chain risk alerts

2

increased by100%

Dependency changes

• + Addedacorn-globals@^1.0.0

• + Addedacorn@2.7.0(transitive)

• + Addedacorn-globals@1.0.9(transitive)

• - Removeduglify-js@~2.4.0

• - Removedamdefine@1.0.1(transitive)

• - Removedasync@0.2.10(transitive)

• - Removedcamelcase@1.2.1(transitive)

• - Removeddecamelize@1.2.0(transitive)

• - Removedsource-map@0.1.34(transitive)

• - Removeduglify-js@2.4.24(transitive)

• - Removeduglify-to-browserify@1.0.2(transitive)

• - Removedwindow-size@0.1.0(transitive)

• - Removedwordwrap@0.0.2(transitive)

• - Removedyargs@3.5.4(transitive)