From a56a139dd1290e958b9da44fd79c63bf2eabc23f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9e=20Kooi?= <renee@kooi.me>
Date: Fri, 15 Feb 2019 17:11:57 +0100
Subject: [PATCH] explicitly mention security caveats

---
 readme.markdown | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/readme.markdown b/readme.markdown
index 9bd50f9..dcb7bd6 100644
--- a/readme.markdown
+++ b/readme.markdown
@@ -6,6 +6,10 @@ evaluate statically-analyzable expressions
 
 [![build status](https://secure.travis-ci.org/substack/static-eval.png)](http://travis-ci.org/substack/static-eval)
 
+# security
+
+static-eval is like `eval`. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is **NOT** suitable for handling arbitrary untrusted user input. Malicious user input _can_ execute arbitrary code.
+
 # example
 
 ``` js