Dynamic code execution (new Function / vm)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
new Function(...) or the vm module compiles and runs a string as code. Fed anything derived from a request, config, or fetched data, that is remote code execution.
Why it matters
new Function(...) and the vm module compile a string into runnable code. If any part of that string comes from a request, a config file, or fetched data, this is remote code execution with the full privileges of your process. These constructs also defeat bundler analysis and any Content-Security-Policy. Genuine uses in a web server are rare.
How to fix it
Replace dynamic evaluation with concrete logic: JSON.parse for data, a lookup map for string-based dispatch, and a dedicated expression parser library for user-entered formulas. The vm module is not a security sandbox, so do not rely on it to run untrusted code. If a build-time tool truly needs it, isolate it from anything touching request input.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo