static-eval
Advanced tools
The static-eval npm package is used to evaluate simple expressions at compile time or in a static context. It takes an abstract syntax tree (AST) and an optional set of variables and computes the static value of the expression.
Evaluate arithmetic expressions
This feature allows the evaluation of arithmetic expressions. The code sample demonstrates how to parse a mathematical expression into an AST and then evaluate it using static-eval.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = '(1 + 2) * (3 + 4)';
const ast = parse(src).body[0].expression;
const result = evaluate(ast);
console.log(result); // Outputs: 21Evaluate expressions with variables
This feature allows the evaluation of expressions that include variables. The code sample shows how to provide a set of variables to the evaluation context.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'a * b + c';
const ast = parse(src).body[0].expression;
const vars = { a: 10, b: 2, c: 5 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: 25Evaluate boolean expressions
This feature allows the evaluation of boolean expressions. The code sample illustrates evaluating a boolean expression with variables.
const evaluate = require('static-eval');
const parse = require('esprima').parse;
const src = 'x > 5 && y < 10';
const ast = parse(src).body[0].expression;
const vars = { x: 6, y: 9 };
const result = evaluate(ast, vars);
console.log(result); // Outputs: truesafe-eval is a package that also evaluates code in a sandboxed environment, providing a safer alternative to the native eval() function. It is similar to static-eval but focuses on safety by creating a separate context for code execution.
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. It is more feature-rich and secure compared to static-eval, offering fine-grained control over sandboxed code execution.
mathjs is an extensive math library for JavaScript and Node.js, which can parse and evaluate mathematical expressions. It is more specialized for mathematical operations and includes a wider range of functions and constants compared to static-eval.
evaluate statically-analyzable expressions
static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var ast = parse(src).body[0].expression;
console.log(evaluate(ast));
If you stick to simple expressions, the result is statically analyzable:
$ node '7*8+9'
65
$ node eval.js '[1,2,3+4*5-(5*11)]'
[ 1, 2, -32 ]
but if you use statements, undeclared identifiers, or syntax, the result is no
longer statically analyzable and evaluate() returns undefined:
$ node eval.js '1+2+3*n'
undefined
$ node eval.js 'x=5; x*2'
undefined
$ node eval.js '5-4*3'
-7
You can also declare variables and functions to use in the static evaluation:
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '[1,2,3+4*10+n,foo(3+5),obj[""+"x"].y]';
var ast = parse(src).body[0].expression;
console.log(evaluate(ast, {
n: 6,
foo: function (x) { return x * 100 },
obj: { x: { y: 555 } }
}));
var evaluate = require('static-eval');
Evaluate the esprima-parsed abstract syntax
tree object ast with an optional collection of variables vars to use in the
static expression resolution.
If the expression contained in ast can't be statically resolved, evaluate()
returns undefined.
With npm do:
npm install static-eval
MIT
2.1.1
Update escodegen. @FabianWarnecke in #43
escodegen doesn't officially support all the Node.js versions that static-eval supports, but so far it still works on them.
This has been the case for both v1.x and v2.1.0 of escodegen, so the upgrade doesn't change that situation.
FAQs
evaluate statically-analyzable expressions
The npm package static-eval receives a total of 3,141,051 weekly downloads. As such, static-eval popularity was classified as popular.
We found that static-eval demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 39 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.