Backend safety

no-eval

Flag `eval()`, `new Function(...)`, `vm.runInNewContext`, and string-arg timers.

Catches the full arbitrary-code-execution surface: bare `eval`, `new Function(body)`, `vm.runInNewContext`/`runInThisContext`/`runInContext`, plus the string-arg form of `setTimeout`/`setInterval`. The `vm` module is not a security boundary — do not rely on it to "sandbox" untrusted input.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

const result = eval(req.body.expr);

Good:

const result = evaluateInSandbox(req.body.expr);

Related rules

• no-shell-injectionFlag `child_process.exec` / `spawn({ shell: true })` with a dynamic command string.
• no-sql-injectionFlag SQL queries built by `+` concatenation or template-literal interpolation.
• no-weak-cryptoFlag `createHash("md5"|"sha1")`, deprecated ciphers, and `Math.random()` for security values.

Use it

Enable no-eval in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-eval': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules