functionNewCalls
Reports using the Function constructor to create functions from strings.
✅ This rule is included in the ts logical preset.
Using the Function constructor to create functions from strings is similar to eval() and introduces security risks and performance issues.
Code passed to the Function constructor is executed in the global scope, making it harder to optimize and potentially allowing arbitrary code execution if user input is involved.
Examples
Section titled “Examples”const add = new Function("a", "b", "return a + b");
const multiply = Function("x", "y", "return x * y");
const greet = new globalThis.Function("name", "return 'Hello, ' + name");const add = function (a, b) { return a + b;};
const multiply = (x, y) => x * y;
function greet(name) { return "Hello, " + name;}Options
Section titled “Options”This rule is not configurable.
When Not To Use It
Section titled “When Not To Use It”If you have a legitimate need to dynamically generate functions from strings at runtime and have properly sanitized all inputs, you might choose to disable this rule. However, in most cases there are safer alternatives to achieve the same goal.
Further Reading
Section titled “Further Reading”Equivalents in Other Linters
Section titled “Equivalents in Other Linters”- ESLint:
no-new-func - Oxlint:
eslint/no-new-func
Made with ❤️🔥 in Boston by
Josh Goldberg and contributors.