Use of eval is strongly discouraged

Question

Use of eval is strongly discouraged

autoferrit opened this issue 4 years ago · 4 comments

I installed gray-matter to use with svelte/sapper, and once I did, I started getting this error message in my console.

> sapper dev

✔ client (1.0s)
✔ service worker (1.7s)
• server
Use of eval is strongly discouraged, as it poses security risks and may cause issues with minification
41:         str = '(function() {\nreturn ' + str.trim() + ';\n}());';
42:       }
43:       return eval(str) || {};
                 ^
44:     } catch (err) {
45:       if (wrap !== false && /(unexpected|identifier)/i.test(err.message)) {
> Listening on http://localhost:3000

The app still seems to work. But is there a way I can silence this? Or is there a way to do the same thing without using eval? As using it definitely can be a security risk.

Answer 1 · 2020-08-24T23:04:32.000Z

The only way that a security issue could arise is if:

You used the javascript engine. AND
You let people using your service provide that input into gray-matter.

I'm not sure if there is another way to do what that engine does without eval since the purpose of the engine seems to be "evaluate javascript". I'll let @jonschlinkert comment further.

Answer 2 · 2020-08-25T02:58:06.000Z

@robertmassaioli is correct. This is an opt-in feature. I don’t see how anyone would be able to abuse this unless you intentionally let them.

Answer 3 · 2020-08-25T20:59:28.000Z

@autoferrit, I end up using Front-matter.

Answer 4 · 2020-08-27T04:20:52.000Z

Yea, that makes sense. Is there a configuration to be able to hide this?