{"id":14565,"library":"eval","title":"Node.js Module Content Evaluator","description":"The `eval` package for Node.js provides a mechanism to evaluate JavaScript code strings as if they were standalone modules loaded via `require()`, but without necessitating a file path. It leverages Node.js's built-in `vm` module to create a sandboxed environment for execution. This allows developers to programmatically load and execute module content from non-standard locations or inject custom contexts and scopes into the evaluated code. A key feature is the ability to control access to global variables, including `require()` itself, through an `includeGlobals` option. The package is currently at version 0.1.8, indicating a very mature or, more likely, an inactive development status. Its release cadence is effectively dormant. It differentiates itself from a simple `eval()` by mimicking Node's module loading environment, making it suitable for scenarios requiring dynamic module-like code execution within a controlled environment.","status":"abandoned","version":"0.1.8","language":"javascript","source_language":"en","source_url":"git://github.com/pierrec/node-eval","tags":["javascript","require","eval","vm","module","typescript"],"install":[{"cmd":"npm install eval","lang":"bash","label":"npm"},{"cmd":"yarn add eval","lang":"bash","label":"yarn"},{"cmd":"pnpm add eval","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is CommonJS-only, reflecting its development era (Node.js >= 0.8). ESM import syntax is not supported.","wrong":"import _eval from 'eval'","symbol":"_eval","correct":"const _eval = require('eval')"}],"quickstart":{"code":"const _eval = require('eval');\n\n// Example 1: Evaluate a simple assignment and export\nlet res1 = _eval('var x = 123; exports.x = x');\nconsole.log('Result 1 (simple export):', res1); // Expected: { x: 123 }\n\n// Example 2: Evaluate a function export\nlet res2 = _eval('module.exports = function () { return 456 }');\nconsole.log('Result 2 (function export call):', res2()); // Expected: 456\n\n// Example 3: Evaluate with global access (e.g., process)\n// Note: The `true` argument enables `includeGlobals`.\nlet res3 = _eval('exports.pid = process.pid', 'dummy.js', {}, true);\nconsole.log('Result 3 (process.pid):', res3.pid); // Expected: current process ID\n\n// Example 4: Evaluate with a custom scope\nlet customScope = { myVar: 'hello world' };\nlet res4 = _eval('exports.message = `The var is ${myVar}`', 'scope.js', customScope);\nconsole.log('Result 4 (custom scope):', res4.message); // Expected: \"The var is hello world\"","lang":"javascript","description":"Demonstrates evaluating JavaScript code strings as modules, including exporting values, functions, accessing Node.js globals, and providing custom scopes."},"warnings":[{"fix":"Consider migrating to more actively maintained packages or Node.js's native `vm` module if sandboxing is required.","message":"The package is effectively abandoned (version 0.1.8, last commit likely from 2013-2014 based on common Node.js ecosystem patterns of the time). This implies no future bug fixes, security patches, or compatibility updates for newer Node.js versions, which could lead to unexpected behavior or security issues.","severity":"breaking","affected_versions":">=0.1.8"},{"fix":"Only set `includeGlobals` to `true` when evaluating trusted code. Carefully review the implications of exposing globals to untrusted content.","message":"The `includeGlobals` option can expose sensitive Node.js global objects (like `process`, `require`, `module`, etc.) to the evaluated code. If the code `content` originates from an untrusted source, this can lead to severe security vulnerabilities.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Thoroughly test `eval`'s behavior across all target Node.js versions. For critical applications, consider directly using the Node.js `vm` module for finer control and up-to-date behavior.","message":"This package relies on Node.js's `vm` module, which has seen various improvements and behavioral changes across Node.js versions. Given the package's age, its implementation might have subtle differences or limitations compared to modern `vm` usage in newer Node.js environments.","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Pass `true` as the `includeGlobals` argument (the fourth parameter) to the `_eval` function: `_eval(content, filename, scope, true)`.","cause":"The evaluated content attempted to use `require()` or other global Node.js objects without explicitly enabling global access.","error":"ReferenceError: require is not defined"},{"fix":"This package is CommonJS-only. Use `const _eval = require('eval')` to correctly import the function.","cause":"Attempting to import the `_eval` function using ECMAScript Modules (ESM) `import` syntax.","error":"TypeError: _eval is not a function"}],"ecosystem":"npm"}