setTimeout/setInterval called with a string
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A string first argument to setTimeout/setInterval is evaluated as code, the same risk as eval, and defeats bundlers and CSP.
Why it matters
Passing a string as the first argument to setTimeout or setInterval hands it to an eval-like evaluator that runs it as code in the global scope. Any dynamic part of that string becomes code injection, and even static strings defeat bundlers, minifiers, and CSP. There is no case where the string form is preferable to a function.
How to fix it
Pass a function reference or arrow function instead of a string: setTimeout(() => doWork(), 500). If the current string closes over variables, capture them in the closure rather than interpolating them into code. This keeps the same timing behavior without the eval.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo