Socket
Socket
Sign inDemoInstall

static-eval

Package Overview
Dependencies
1
Maintainers
38
Versions
19
Alerts
File Explorer

Advanced tools

npm Scripts
License

Install Socket

Detect and block malicious and high-risk dependencies

Install

static-eval

Version published
Maintainers
38
Created

Package description

What is static-eval?

The static-eval npm package is used to evaluate simple expressions at compile time or in a static context. It takes an abstract syntax tree (AST) and an optional set of variables and computes the static value of the expression.

What are static-eval's main functionalities?

Evaluate arithmetic expressions

This feature allows the evaluation of arithmetic expressions. The code sample demonstrates how to parse a mathematical expression into an AST and then evaluate it using static-eval.

const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = '(1 + 2) * (3 + 4)';
const ast = parse(src).body[0].expression;
const result = evaluate(ast);
console.log(result); // Outputs: 21

Evaluate expressions with variables

This feature allows the evaluation of expressions that include variables. The code sample shows how to provide a set of variables to the evaluation context.

const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'a * b + c';
const ast = parse(src).body[0].expression;
const vars = { a: 10, b: 2, c: 5 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: 25

Evaluate boolean expressions

This feature allows the evaluation of boolean expressions. The code sample illustrates evaluating a boolean expression with variables.

const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'x > 5 && y < 10';
const ast = parse(src).body[0].expression;
const vars = { x: 6, y: 9 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: true

Other packages similar to static-eval

    safe-eval

    safe-eval is a package that also evaluates code in a sandboxed environment, providing a safer alternative to the native eval() function. It is similar to static-eval but focuses on safety by creating a separate context for code execution.

    vm2

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. It is more feature-rich and secure compared to static-eval, offering fine-grained control over sandboxed code execution.

    mathjs

    mathjs is an extensive math library for JavaScript and Node.js, which can parse and evaluate mathematical expressions. It is more specialized for mathematical operations and includes a wider range of functions and constants compared to static-eval.

Readme

Source

static-eval

evaluate statically-analyzable expressions

testling badge

build status

security

static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.

example

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = process.argv[2];
var ast = parse(src).body[0].expression;

console.log(evaluate(ast));

If you stick to simple expressions, the result is statically analyzable:

$ node '7*8+9'
65
$ node eval.js '[1,2,3+4*5-(5*11)]'
[ 1, 2, -32 ]

but if you use statements, undeclared identifiers, or syntax, the result is no longer statically analyzable and evaluate() returns undefined:

$ node eval.js '1+2+3*n'
undefined
$ node eval.js 'x=5; x*2'
undefined
$ node eval.js '5-4*3'
-7

You can also declare variables and functions to use in the static evaluation:

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = '[1,2,3+4*10+n,foo(3+5),obj[""+"x"].y]';
var ast = parse(src).body[0].expression;

console.log(evaluate(ast, {
    n: 6,
    foo: function (x) { return x * 100 },
    obj: { x: { y: 555 } }
}));

methods

var evaluate = require('static-eval');

evaluate(ast, vars={})

Evaluate the esprima-parsed abstract syntax tree object ast with an optional collection of variables vars to use in the static expression resolution.

If the expression contained in ast can't be statically resolved, evaluate() returns undefined.

install

With npm do:

npm install static-eval

license

MIT

Keywords

FAQs

Last updated on 26 Feb 2019

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Unverified npm Account Takeover Vulnerability For Sale on Dark Web Forum

Security News

Unverified npm Account Takeover Vulnerability For Sale on Dark Web Forum

A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.

By Sarah Gooding  -  Jul 06, 2024
Cyber Insurance Market Projected to Reach $43 Billion by 2030

Security News

Cyber Insurance Market Projected to Reach $43 Billion by 2030

Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.

By Sarah Gooding  -  Jul 04, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc