Gathering detailed insights and metrics for static-eval
Gathering detailed insights and metrics for static-eval
Installations
npm install static-evalDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
21.5.0
NPM Version
10.2.4
Score
98.9
Supply Chain
95.4
Quality
83.1
Maintenance
100
Vulnerability
100
License
Releases
5
Languages
1
JavaScript
JavaScript (100%)
Developer
browserify
Download Statistics
Total Downloads
677,780,822
Last Day
705,193
Last Week
3,807,779
Last Month
16,508,433
Last Year
193,291,337
GitHub Statistics
MIT License
178 Stars
86 Commits
27 Forks
8 Watchers
2 Branches
35 Contributors
Updated on May 04, 2025
Bundle Size
73.71 kB
Minified
18.86 kB
Minified + Gzipped
Maintainers
39
Package Meta Information
Latest Version
2.1.1
Package Id
static-eval@2.1.1
Unpacked Size
19.81 kB
Size
5.68 kB
File Count
12
NPM Version
10.2.4
Node Version
21.5.0
Published on
Jan 01, 2024
Total Downloads
Cumulative downloads
Total Downloads
677,780,822
static-eval
evaluate statically-analyzable expressions
security
static-eval is like eval. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is NOT suitable for handling arbitrary untrusted user input. Malicious user input can execute arbitrary code.
example
1var evaluate = require('static-eval'); 2var parse = require('esprima').parse; 3 4var src = process.argv[2]; 5var ast = parse(src).body[0].expression; 6 7console.log(evaluate(ast));
If you stick to simple expressions, the result is statically analyzable:
$ node '7*8+9'
65
$ node eval.js '[1,2,3+4*5-(5*11)]'
[ 1, 2, -32 ]
but if you use statements, undeclared identifiers, or syntax, the result is no
longer statically analyzable and evaluate() returns undefined:
$ node eval.js '1+2+3*n'
undefined
$ node eval.js 'x=5; x*2'
undefined
$ node eval.js '5-4*3'
-7
You can also declare variables and functions to use in the static evaluation:
1var evaluate = require('static-eval'); 2var parse = require('esprima').parse; 3 4var src = '[1,2,3+4*10+n,foo(3+5),obj[""+"x"].y]'; 5var ast = parse(src).body[0].expression; 6 7console.log(evaluate(ast, { 8 n: 6, 9 foo: function (x) { return x * 100 }, 10 obj: { x: { y: 555 } } 11}));
methods
1var evaluate = require('static-eval');
evaluate(ast, vars={})
Evaluate the esprima-parsed abstract syntax
tree object ast with an optional collection of variables vars to use in the
static expression resolution.
If the expression contained in ast can't be statically resolved, evaluate()
returns undefined.
install
With npm do:
npm install static-eval
license
MIT
Critical
9.8/10
Summary
Withdrawn: Arbitrary Code Execution in static-eval
Affected Versions
<= 2.1.0
High
7.3/10
Summary
Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected Versions
<= 2.0.1
Patched Versions
2.0.2
Moderate
0/10
Summary
Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected Versions
< 2.0.0
Patched Versions
2.0.0
Reason
no binaries found in the repo
Reason
security policy file detected
Details
- Info: security policy file detected: security.md:1
- Info: Found linked content: security.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: security.md:1
- Info: Found text in security policy: security.md:1
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
0 existing vulnerabilities detected
Reason
Found 4/17 approved changesets -- score normalized to 2
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 18 are checked with a SAST tool
Score
4.2
/10
Last Scanned on 2025-05-05
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More