Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
static-eval
Advanced tools
The static-eval npm package is used to evaluate simple expressions at compile time or in a static context. It takes an abstract syntax tree (AST) and an optional set of variables and computes the static value of the expression.
Evaluate arithmetic expressions
This feature allows the evaluation of arithmetic expressions. The code sample demonstrates how to parse a mathematical expression into an AST and then evaluate it using static-eval.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = '(1 + 2) * (3 + 4)';
const ast = parse(src).body[0].expression;
const result = evaluate(ast);
console.log(result); // Outputs: 21
Evaluate expressions with variables
This feature allows the evaluation of expressions that include variables. The code sample shows how to provide a set of variables to the evaluation context.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'a * b + c';
const ast = parse(src).body[0].expression;
const vars = { a: 10, b: 2, c: 5 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: 25
Evaluate boolean expressions
This feature allows the evaluation of boolean expressions. The code sample illustrates evaluating a boolean expression with variables.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'x > 5 && y < 10';
const ast = parse(src).body[0].expression;
const vars = { x: 6, y: 9 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: true
safe-eval is a package that also evaluates code in a sandboxed environment, providing a safer alternative to the native eval() function. It is similar to static-eval but focuses on safety by creating a separate context for code execution.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. It is more feature-rich and secure compared to static-eval, offering fine-grained control over sandboxed code execution.
mathjs is an extensive math library for JavaScript and Node.js, which can parse and evaluate mathematical expressions. It is more specialized for mathematical operations and includes a wider range of functions and constants compared to static-eval.
evaluate statically-analyzable expressions
static-eval is like eval
. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var ast = parse(src).body[0].expression;
console.log(evaluate(ast));
If you stick to simple expressions, the result is statically analyzable:
$ node '7*8+9'
65
$ node eval.js '[1,2,3+4*5-(5*11)]'
[ 1, 2, -32 ]
but if you use statements, undeclared identifiers, or syntax, the result is no
longer statically analyzable and evaluate()
returns undefined
:
$ node eval.js '1+2+3*n'
undefined
$ node eval.js 'x=5; x*2'
undefined
$ node eval.js '5-4*3'
-7
You can also declare variables and functions to use in the static evaluation:
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '[1,2,3+4*10+n,foo(3+5),obj[""+"x"].y]';
var ast = parse(src).body[0].expression;
console.log(evaluate(ast, {
n: 6,
foo: function (x) { return x * 100 },
obj: { x: { y: 555 } }
}));
var evaluate = require('static-eval');
Evaluate the esprima-parsed abstract syntax
tree object ast
with an optional collection of variables vars
to use in the
static expression resolution.
If the expression contained in ast
can't be statically resolved, evaluate()
returns undefined.
With npm do:
npm install static-eval
MIT
2.1.1
Update escodegen
. @FabianWarnecke in #43
escodegen doesn't officially support all the Node.js versions that static-eval
supports, but so far it still works on them.
This has been the case for both v1.x and v2.1.0 of escodegen, so the upgrade doesn't change that situation.
FAQs
evaluate statically-analyzable expressions
The npm package static-eval receives a total of 2,864,769 weekly downloads. As such, static-eval popularity was classified as popular.
We found that static-eval demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 39 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.