Use of eval() / Function constructor
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
eval() and `new Function(...)` execute arbitrary strings as code and are a common injection vector.
Why it matters
eval() and new Function() run whatever string they are given as full JavaScript. If any part of that string can be influenced by user input, config files, or fetched data, that is remote code execution in your app. They also defeat content security policies and make bundlers keep dead code.
How to fix it
Replace eval of data with JSON.parse, replace dynamic property access with plain object lookups, and replace string-based dispatch with an explicit map of allowed functions. For user-entered math or formulas use a dedicated expression parser library instead of evaluating strings. If a build-time script truly needs it, isolate it away from anything that touches runtime input.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo