evals
Reports uses of the eval function.
✅ This rule is included in the ts logical presets.
The eval() function evaluates a string as JavaScript code.
This is dangerous because it can execute arbitrary code, potentially leading to security vulnerabilities.
Using eval() has several problems:
- Security risks: executing untrusted code can lead to code injection attacks
- Performance issues:
eval()prevents JavaScript engine optimizations - Debugging difficulty: dynamically executed code is harder to debug and trace
- CSP violations: many Content Security Policies prohibit
eval()
Examples
Section titled “Examples”const code = getUserInput();eval(code);const result = eval("2 + 2");const data = '{"name": "John"}';const obj = JSON.parse(data);const calculate = (a: number, b: number) => a + b;const result = calculate(2, 2);Options
Section titled “Options”This rule is not configurable.
When Not To Use It
Section titled “When Not To Use It”In rare cases, eval() may be necessary for dynamic code execution, such as in development tools or REPLs.
If you have a legitimate use case and understand the security implications, you may disable this rule for specific lines.
Consider using the Function constructor as a slightly safer alternative, though it still carries risks.
Further Reading
Section titled “Further Reading”Equivalents in Other Linters
Section titled “Equivalents in Other Linters”- Biome:
noGlobalEval - Deno:
no-eval - ESLint:
no-eval - Oxlint:
eslint/no-eval
Made with ❤️🔥 in Boston by
Josh Goldberg and contributors.