String passed to setTimeout / setInterval (JS/TS)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A string first argument to setTimeout/setInterval is evaluated as code, exactly like eval(). Pass a function reference instead.
Why it matters
A string first argument to setTimeout or setInterval is compiled and run as code, the same as eval. If any part of that string is dynamic, it becomes code injection. Passing a function instead removes the risk entirely.
How to fix it
Pass a function reference or arrow function as the first argument: setTimeout(() => doThing(), 100). Never pass a string of code. If the delay target is chosen dynamically, use a lookup object of allowed functions.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo