Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
eval2
Advanced tools
Readme
Sometimes you need to use generated code in your app. But sometimes that generated code has syntax errors in it, which causes an error to be thrown:
code =
'function add ( a, b ) {\n' +
' return a _ b;\n' + // oops! fat finger. we meant `+`, not `_`
'}';
add = eval( '(' + code + ')' ); // 'SyntaxError: Unexpected identifier'
But where is the syntax error? In this case it's obvious, but imagine the code has dozens of lines. Maybe it won't be so obvious then. The stack trace will include the call to eval
, but not the line of code that contained the error.
The same is true of new Function()
:
var add = new Function( 'a', 'b', 'return a _ b' );
eval2.js fixes this problem. In modern browsers, the code is converted to a data URI and inserted via a <script>
tag. In node.js, a temporary module is created. In both cases, any syntax errors that are thrown will include the offending code in the stack trace.
Install with npm...
$ npm i eval2
...or bower...
bower i eval2
...or grab a copy of eval2.js and include it in your app (works as AMD or node.js module, or as browser global).
var eval2 = require( 'eval2' );
var code =
'function add ( a, b ) {\n' +
' return a _ b;\n' +
'}';
eval2( '(' + code + ')' );
// You can optionally pass in a sourceURL which will be used
// for debugging where possible...
eval2( '(' + code + ')', {
sourceURL: 'add.js'
});
// ...or, if you're really fancy, a dynamic source map
// (see http://kybernetikos.github.io/jsSandbox/srcmaps/dynamic.html)
eval2( '(' + code + ')', {
sourceMap: { version: 3, ... }
});
In browsers, you'll get an Uncaught SyntaxError
message printed to the console, with a link pointing to the offending line of code. Note that you can't capture this stack trace programmatically - the error will be thrown asynchronously (because code added via a dynamic <script>
element always executes asynchronously), so you must inspect the code via the console.
In node.js, the code itself will be printed to the console, along with the error.
You can also create functions using eval2.Function
- this behaves similarly to new Function()
:
// If the function body contains a syntax error, eval2 will
// reveal it:
var add = new eval2.Function( 'a', 'b', 'return a + b' );
You can pass an options object as the final argument:
var add = new eval2.Function( 'a', 'b', 'return a + b', { sourceMap: { version: 3, ... } });
The line numbers in node.js error reports will be 1 greater than the actual line number; this is because the code is wrapped in an anonymous function.
Unlike the standard eval
, code executed with eval2
will always be executed in the global scope:
(function () {
// this works...
var answer = 42;
eval( 'alert(answer)' );
// ...but this won't, because `answer` doesn't exist
// in the global scope
eval2( 'alert(answer)' );
}());
node-syntax-error by substack finds syntax errors in node programs by attempting to parse them with esprima.
Issues, pull requests and feedback welcome. I'm @Rich_Harris on Twitter.
@martypdx figured out how to dynamically generate modules in node.js.
MIT.
FAQs
Replacement for eval that reveals the location of syntax errors
The npm package eval2 receives a total of 27 weekly downloads. As such, eval2 popularity was classified as not popular.
We found that eval2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.