Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
By Sarah Gooding - Jul 16, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
static-eval
Advanced tools
What is static-eval?
The static-eval npm package is used to evaluate simple expressions at compile time or in a static context. It takes an abstract syntax tree (AST) and an optional set of variables and computes the static value of the expression.
What are static-eval's main functionalities?
Evaluate arithmetic expressions
This feature allows the evaluation of arithmetic expressions. The code sample demonstrates how to parse a mathematical expression into an AST and then evaluate it using static-eval.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = '(1 + 2) * (3 + 4)';
const ast = parse(src).body[0].expression;
const result = evaluate(ast);
console.log(result); // Outputs: 21Evaluate expressions with variables
This feature allows the evaluation of expressions that include variables. The code sample shows how to provide a set of variables to the evaluation context.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'a * b + c';
const ast = parse(src).body[0].expression;
const vars = { a: 10, b: 2, c: 5 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: 25Evaluate boolean expressions
This feature allows the evaluation of boolean expressions. The code sample illustrates evaluating a boolean expression with variables.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'x > 5 && y < 10';
const ast = parse(src).body[0].expression;
const vars = { x: 6, y: 9 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: trueOther packages similar to static-eval
safe-eval
safe-eval is a package that also evaluates code in a sandboxed environment, providing a safer alternative to the native eval() function. It is similar to static-eval but focuses on safety by creating a separate context for code execution.
vm2
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. It is more feature-rich and secure compared to static-eval, offering fine-grained control over sandboxed code execution.
mathjs
mathjs is an extensive math library for JavaScript and Node.js, which can parse and evaluate mathematical expressions. It is more specialized for mathematical operations and includes a wider range of functions and constants compared to static-eval.
static-eval
evaluate statically-analyzable expressions
security
static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.
example
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var ast = parse(src).body[0].expression;
console.log(evaluate(ast));
If you stick to simple expressions, the result is statically analyzable:
$ node '7*8+9'
65
$ node eval.js '[1,2,3+4*5-(5*11)]'
[ 1, 2, -32 ]
but if you use statements, undeclared identifiers, or syntax, the result is no
longer statically analyzable and evaluate() returns undefined:
$ node eval.js '1+2+3*n'
undefined
$ node eval.js 'x=5; x*2'
undefined
$ node eval.js '5-4*3'
-7
You can also declare variables and functions to use in the static evaluation:
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '[1,2,3+4*10+n,foo(3+5),obj[""+"x"].y]';
var ast = parse(src).body[0].expression;
console.log(evaluate(ast, {
n: 6,
foo: function (x) { return x * 100 },
obj: { x: { y: 555 } }
}));
methods
var evaluate = require('static-eval');
evaluate(ast, vars={})
Evaluate the esprima-parsed abstract syntax
tree object ast with an optional collection of variables vars to use in the
static expression resolution.
If the expression contained in ast can't be statically resolved, evaluate()
returns undefined.
install
With npm do:
npm install static-eval
license
MIT
2.1.1
-
Update
escodegen. @FabianWarnecke in #43escodegen doesn't officially support all the Node.js versions that
static-evalsupports, but so far it still works on them. This has been the case for both v1.x and v2.1.0 of escodegen, so the upgrade doesn't change that situation.
FAQs
evaluate statically-analyzable expressions
The npm package static-eval receives a total of 3,548,216 weekly downloads. As such, static-eval popularity was classified as popular.
We found that static-eval demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 39 open source maintainers collaborating on the project.
Package last updated on 01 Jan 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
By Olivia Brown - Jul 15, 2025
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
By Kirill Boychenko - Jul 14, 2025