ddoc - npm Package Compare versions

Comparing version 1.0.1 to 1.1.0

index.js

@@ -15,5 +15,12 @@ var fs = require('fs'),
             } else if (type.isFile()) {
-                var data = fs.readFileSync(path);
-                if (p.extname(file) === '.js') {        // eval
-                    obj[p.basename(file,'.js')] = Function("return ("+data+");")();
+                var data = fs.readFileSync(path, 'utf8');
+                if (p.extname(file) === '.js') {        // eval(-ish…actually has to handle bare `function () {}` *and* CommonJS modules!)
+                    // hack from https://github.com/iriscouch/couchjs/blob/71335aac1901a279aff213973f5508b0bc241e31/couchjs.js#L79
+                    data = data.replace(/;+$/, '');
+                    // TODO: we'll still bork on multi-statement modules, probably need separate codepaths for each style
+                    
+                    var module = {exports:{}};
+                    obj[p.basename(file,'.js')] = Function('require', 'module', 'exports', "return ("+data+");")(function (module) {
+                        return require(p.join(ddoc_dir,module));
+                    }, module, module.exports) || module.exports;
                 } else if (p.extname(file) === '.json') {
@@ -20,0 +27,0 @@ obj[p.basename(file,'.json')] = JSON.parse(data);

package.json

 {
   "name": "ddoc",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "require() a traditional couchapp into your node code",
@@ -5,0 +5,0 @@ "main": "index.js",

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Fixed alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

3122

increased by25.68%

Lines of code

34

increased by21.43%

Worsened metrics

Number of low supply chain risk alerts

2

increased by100%

No dependency changes