frack-settings - npm Package Compare versions

Comparing version 0.1.7 to 0.1.8

package.json

 {
     "name": "frack-settings",
-    "version": "0.1.7",
+    "version": "0.1.8",
     "description": "Settings defaults and runtime loader from rc file",
@@ -5,0 +5,0 @@ "license": "MIT",

src/frackSettings.js

@@ -6,3 +6,3 @@ /* eslint-disable global-require */
 import deepMerge from 'deepmerge'
-import { existsSync } from 'fs'
+import { readFileSync, existsSync } from 'fs'
 import has from 'lodash/fp/has'
@@ -22,3 +22,4 @@ import { join } from 'path'
   if (existsSync(frackRcPath)) {
-    const frackRc = require(frackRcPath)
+    /* eslint-disable no-eval */
+    const frackRc = eval(readFileSync(frackRcPath).toString())
     const hasCommon = has('common')
@@ -25,0 +26,0 @@ const hasDevelopment = has('development')

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

212594

increased by0.06%

Lines of code

6210

increased by0.02%

Number of low supply chain risk alerts

7

decreased by-30%

Worsened metrics

Number of medium supply chain risk alerts

5

increased by150%

No dependency changes