Menu
Is there any way to prevent the use of eval and friends in nodejs code? It has been used by at least a couple of the npm malicious packages, and there is no reason for me to use it in my current project.
The fact that the unsafe-eval CSP declaration exists implies that it should be possible at the V8 level, but as far as I can tell, node doesn't expose this functionality. (if I had my way, banning eval would be the default...) I know the no-eval eslint rule exists, which is a good start, but I'm looking for something with runtime guarantees that includes node_modules as well.
360
asked Mar 06 '26 02:03
I believe you should be able to achieve what you're looking for using the --disallow-code-generation-from-strings command line option, or by setting the equivalent flag via NODE_OPTIONS (supported in V12.16.0 and later).
157
answered Mar 08 '26 17:03
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With