-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of eval() is strongly discouraged, as it poses security risks #44
Comments
The usage of |
The official doc for eval() has a big fat yellow warning at the top, saying:
There's a certain irony in the fact that the very module which warns other developers about deprecated code uses deprecated code itself. Not only that, but the most well-known deprecated function and kind-of the mother of all deprecated functions in JavaScript. |
Hi @benbucksch you can view the current code for this module right here on GitHub... There is no |
Oh, right... So, why does express depending explicitly on an outdated depd version, even in the latest version of express? https://github.com/expressjs/express/blob/28db2c2c5cf992c897d1fbbc6b119ee02fe32ab1/package.json#L39
The other deps are also "~" instead of "^". Are they just being silly? |
Hi @benbucksch there are hundreds of modules that depend on this module. The downstream modules (like this one) do not have control over how others decide to use it. Of course, the removal of |
@dougwilson : Yes, I understand that, but express is a rather popular module. I now tried to file a bug against express, but for some reason, I cannot ("You can't perform that action at this time."). I see that you made the most recent commits in express, so it's not a third party module from your perspective, but you're active in express as well. Could you see to it that this is fixed in express, please? |
Hi @benbucksch sure, I will take a look in to it when I get some time. In the future, please try to keep issues to the respective issue tracker they belong in; perhaps GitHub is having an issue at the moment or something. I would move the issue, but issues cannot be moved across organizations. This issue is closed, but mainly because there is no issue in this module as the usage of |
Yup, sorry about that. I didn't realize that I was using an outdated dependency. |
Environment
Reproduction
express
to your project, directly or indirectly, which addsdepd
to your projectyarn run dev
Actual result
On every code file change, the compiler spits out the following warning on the console:
This is due to
depd
.Expected result
eval()
is not used at all. The error message is correct.The text was updated successfully, but these errors were encountered: