{"id":24503986,"url":"https://github.com/0no-co/evalish","last_synced_at":"2026-03-27T04:52:56.910Z","repository":{"id":45762655,"uuid":"514418823","full_name":"0no-co/evalish","owner":"0no-co","description":"A maybe slightly safer-ish wrapper around eval Function constructors","archived":false,"fork":false,"pushed_at":"2022-07-19T23:15:22.000Z","size":75,"stargazers_count":26,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-27T20:23:16.352Z","etag":null,"topics":["eval","javascript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0no-co.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-07-15T22:18:39.000Z","updated_at":"2024-07-06T01:40:58.000Z","dependencies_parsed_at":"2022-08-29T15:11:44.658Z","dependency_job_id":null,"html_url":"https://github.com/0no-co/evalish","commit_stats":null,"previous_names":["kitten/evalish"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0no-co%2Fevalish","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0no-co%2Fevalish/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0no-co%2Fevalish/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0no-co%2Fevalish/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0no-co","download_url":"https://codeload.github.com/0no-co/evalish/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248837263,"owners_count":21169373,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eval","javascript"],"created_at":"2025-01-21T23:19:23.847Z","updated_at":"2026-03-27T04:52:56.871Z","avatar_url":"https://github.com/0no-co.png","language":"TypeScript","readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch2 align=\"center\" aria-label=\"evalish\"\u003eeval\u003ci\u003eish\u003c/i\u003e\u003c/h2\u003e\n  \u003cp align=\"center\"\u003e\u003cstrong\u003eA maybe slightly safer-ish wrapper around eval Function constructors\u003c/strong\u003e\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\u003ci\u003ePlease maybe try something else first.. Please.\u003c/i\u003e\u003c/p\u003e\n  \u003cbr /\u003e\n  \u003ca href=\"https://npmjs.com/package/evalish\"\u003e\n    \u003cimg alt=\"NPM Version\" src=\"https://img.shields.io/npm/v/evalish.svg\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://npmjs.com/package/evalish\"\u003e\n    \u003cimg alt=\"License\" src=\"https://img.shields.io/npm/l/evalish.svg\" /\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://bundlephobia.com/result?p=evalish\"\u003e\n    \u003cimg alt=\"Minified gzip size\" src=\"https://img.shields.io/bundlephobia/minzip/evalish.svg?label=gzip%20size\" /\u003e\n  \u003c/a\u003e\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n\u003c/div\u003e\n\n`evalish` is a small helper library that only exports a wrapper for the Function constructor: `SafeFunction`.\n\nThe `SafeFunction` constructor allows you to evaluate code and dynamically create a new function. In most environments,\nwhich at least don't have their CSP configured to disallow this, this will give you a fully executable function based\non a string. As `Function` by default is a little safer than `eval` and runs everything in the global context,\n`SafeFunction` goes a step further and attempts to isolate the environment as much as possible.\n\nIt only does three simple things:\n- Isolate the [global object](https://developer.mozilla.org/en-US/docs/Glossary/Global_object) and uses a separate object using a `with` statement\n- Wraps all passed through globals, like `Array`, in a recursive masking object that disallows access to object prototype properties\n- In the browser: Creates an `iframe` element and uses that frame's globals instead to prvent prototype pollution.\n\nIf you haven't run away screaming yet, maybe that's what you're looking for. Just a bit more safety.\nBut really, I wrote this just for fun and I haven't written any tests yet and neither have I tested all edge cases.\nThe export being named `SafeFunction` is really just ambitious.\n\n[**However, if you found a way to break out of `SafeFunction` and did something to the outside JS environment, let me\nknow and file an issue.**](https://github.com/kitten/evalish/issues/new)\nI'm curious to see how far `evalish` would have to go to fully faux-isolate eval'ed code!\n\n## Usage\n\nFirst install `evalish` alongside `react`:\n\n```sh\nyarn add evalish\n# or\nnpm install --save evalish\n```\n\nYou'll then be able to import `SafeFunction` and pass it argument names and code,\n[just like the regular `Function` constructor](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function).\n\n```js\nimport { SafeFunction } from 'evalish';\n\nnew SafeFunction('a', 'b', 'return a + b')(1, 2); // returns `3`\nnew SafeFunction('return window')(); // returns `undefined`\nnew SafeFunction('return Array.isArray.constructor')(); // returns `undefined`\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0no-co%2Fevalish","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0no-co%2Fevalish","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0no-co%2Fevalish/lists"}