[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon · 2026-01-30T11:59:53Z

Summary

Follow-up to #35650

React uses eval in development for Server Components and Server Functions to reconstruct callstacks from different environments. eval can be a legitimate security concern for production environments. It's oftentimes disabled e.g. in browsers via the Content-Security-Policy response header.

If eval is disabled in development, those debugging features stop working. Without this change no warning was issued. Now we issue a warning with remedies depending on the environment.

For browsers, the CSP header needs to be adjusted. In Node.js, --disallow-code-generation-from-strings should not be used. In other environments (e.g. Bun), we don't have a tailored message since those environments don't have a dedicated API to disable eval.

If there are legit concerns about disabling eval in development this warning could be considered noise and we should revisit.

Note that we always warn once you use React Server or React Action APIs even though you may not need to reconstruct a callstack (e.g. no Components used or errors transported). I suspect this to be a rare use case. Though being prepared for potential errors, isn't the worst idea.

How did you test this change?

added test for each tailored message

react-sizebot · 2026-01-30T12:47:46Z

Comparing: 64b4605...d2430b3

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	=	609.58 kB	609.58 kB	=	107.80 kB	107.80 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	=	675.51 kB	675.51 kB	=	118.75 kB	118.75 kB
facebook-www/ReactDOM-prod.classic.js	=	695.14 kB	695.14 kB	=	122.19 kB	122.19 kB
facebook-www/ReactDOM-prod.modern.js	=	685.52 kB	685.52 kB	=	120.59 kB	120.59 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
test_utils/ReactAllWarnings.js	+1.41%	66.76 kB	67.70 kB	+1.30%	16.83 kB	17.05 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.77%	188.37 kB	189.82 kB	+1.13%	33.05 kB	33.43 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.77%	188.37 kB	189.82 kB	+1.13%	33.05 kB	33.43 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.77%	188.37 kB	189.82 kB	+1.13%	33.05 kB	33.43 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.75%	190.28 kB	191.70 kB	+1.13%	33.17 kB	33.54 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.75%	190.28 kB	191.70 kB	+1.13%	33.17 kB	33.54 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.75%	190.28 kB	191.70 kB	+1.13%	33.17 kB	33.54 kB
oss-experimental/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.74%	191.92 kB	193.35 kB	+1.09%	33.42 kB	33.79 kB
oss-stable-semver/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.74%	191.92 kB	193.35 kB	+1.09%	33.42 kB	33.79 kB
oss-stable/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.74%	191.92 kB	193.35 kB	+1.09%	33.42 kB	33.79 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.74%	193.32 kB	194.75 kB	+1.09%	33.69 kB	34.06 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.74%	193.32 kB	194.75 kB	+1.09%	33.69 kB	34.06 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.74%	193.32 kB	194.75 kB	+1.09%	33.69 kB	34.06 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.74%	193.35 kB	194.77 kB	+1.11%	33.70 kB	34.08 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.74%	193.35 kB	194.77 kB	+1.11%	33.70 kB	34.08 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.74%	193.35 kB	194.77 kB	+1.11%	33.70 kB	34.08 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.63%	187.27 kB	188.45 kB	+0.98%	32.96 kB	33.28 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.63%	187.27 kB	188.45 kB	+0.98%	32.96 kB	33.28 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.63%	187.27 kB	188.45 kB	+0.98%	32.96 kB	33.28 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.63%	187.30 kB	188.47 kB	+0.99%	32.97 kB	33.30 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.63%	187.30 kB	188.47 kB	+0.99%	32.97 kB	33.30 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.63%	187.30 kB	188.47 kB	+0.99%	32.97 kB	33.30 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.61%	185.33 kB	186.47 kB	+1.11%	32.43 kB	32.79 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.61%	185.38 kB	186.52 kB	+1.11%	32.45 kB	32.81 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.61%	185.39 kB	186.53 kB	+1.11%	32.45 kB	32.81 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.58%	187.95 kB	189.03 kB	+1.05%	32.91 kB	33.26 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.58%	188.00 kB	189.08 kB	+1.04%	32.94 kB	33.28 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.58%	188.01 kB	189.10 kB	+1.05%	32.94 kB	33.29 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.58%	188.57 kB	189.66 kB	+1.06%	33.07 kB	33.42 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.58%	188.62 kB	189.71 kB	+1.06%	33.10 kB	33.45 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.58%	188.63 kB	189.72 kB	+1.06%	33.10 kB	33.45 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.57%	231.50 kB	232.83 kB	+0.95%	51.09 kB	51.57 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.57%	231.52 kB	232.85 kB	+0.94%	51.11 kB	51.60 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.57%	231.53 kB	232.86 kB	+0.94%	51.12 kB	51.60 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.53%	184.13 kB	185.10 kB	+0.89%	32.47 kB	32.76 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.53%	184.13 kB	185.10 kB	+0.89%	32.47 kB	32.76 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.53%	184.13 kB	185.10 kB	+0.89%	32.47 kB	32.76 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.53%	183.47 kB	184.44 kB	+1.08%	32.02 kB	32.37 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.53%	183.52 kB	184.49 kB	+1.08%	32.05 kB	32.39 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.53%	183.53 kB	184.50 kB	+1.07%	32.05 kB	32.39 kB

Generated by 🚫 dangerJS against d2430b3

packages/react-server/src/ReactFlightReplyServer.js

sohammeta · 2026-01-31T02:32:11Z

packages/react-client/src/ReactClientDebugConfigBrowser.js

+      } catch {
+        console.error(
+          'eval() is not supported in this environment. ' +
+            'If this page was served with a `Content-Security-Policy` header, ' +
+            'make sure that `unsafe-eval` is included. ' +
+            'React requires eval() in development mode for various debugging features ' +
+            'like reconstructing callstacks from a different environment.\n' +
+            'React will never use eval() in production mode',
+        );
+      }


If eval throws for reasons other than being unavailable, those errors will be swallowed.

Suggested change

} catch {

console.error(

'eval() is not supported in this environment. ' +

'If this page was served with a `Content-Security-Policy` header, ' +

'make sure that `unsafe-eval` is included. ' +

'React requires eval() in development mode for various debugging features ' +

'like reconstructing callstacks from a different environment.\n' +

'React will never use eval() in production mode',

);

}

} catch (error) {

console.error(

'eval() is not supported in this environment. ' +

'If this page was served with a `Content-Security-Policy` header, ' +

'make sure that `unsafe-eval` is included. ' +

'React requires eval() in development mode for various debugging features ' +

'like reconstructing callstacks from a different environment.\n' +

'React will never use eval() in production mode',

,error

);

}

What is the thrown error saying, that's not included in the message we post?

DiffTrain build for [ed4bd54](ed4bd54)

meta-cla bot added the CLA Signed label Jan 30, 2026

github-actions bot added the React Core Team Opened by a member of the React Core Team label Jan 30, 2026

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch from 328e3c3 to 41e269c Compare January 30, 2026 12:43

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch 2 times, most recently from 3a8565c to b4f7dca Compare January 30, 2026 12:53

[Flight] Warn once if eval is disabled in dev environment

876bf8c

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch from 0fa91a0 to 876bf8c Compare January 30, 2026 18:05

eps1lon requested a review from unstubbable January 30, 2026 18:10

eps1lon marked this pull request as ready for review January 30, 2026 18:10

unstubbable reviewed Jan 30, 2026

View reviewed changes

packages/react-server/src/ReactFlightReplyServer.js Outdated Show resolved Hide resolved

sohammeta reviewed Jan 31, 2026

View reviewed changes

Move to reply client

d2430b3

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch from fec400f to d2430b3 Compare February 2, 2026 10:42

eps1lon requested a review from unstubbable February 2, 2026 10:52

unstubbable approved these changes Feb 2, 2026

View reviewed changes

eps1lon merged commit ed4bd54 into main Feb 2, 2026
234 checks passed

eps1lon deleted the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch February 2, 2026 11:56

github-actions bot pushed a commit that referenced this pull request Feb 2, 2026

[Flight] Warn once if eval is disabled in dev environment (#35661)

876e0ab

DiffTrain build for [ed4bd54](ed4bd54)

nextjs-bot mentioned this pull request Feb 2, 2026

Upgrade React from da641178-20260129 to ed4bd540-20260202 vercel/next.js#89401

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Flight] Warn once if `eval` is disabled in dev environment #35661

[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon commented Jan 30, 2026 •

edited

Loading

Uh oh!

react-sizebot commented Jan 30, 2026 •

edited

Loading

Uh oh!

Uh oh!

sohammeta Jan 31, 2026

Uh oh!

eps1lon Feb 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

[Flight] Warn once if eval is disabled in dev environment #35661

[Flight] Warn once if eval is disabled in dev environment #35661

Conversation

eps1lon commented Jan 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

How did you test this change?

Uh oh!

react-sizebot commented Jan 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Critical size changes

Significant size changes

Uh oh!

Uh oh!

sohammeta Jan 31, 2026

Choose a reason for hiding this comment

Uh oh!

eps1lon Feb 2, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

[Flight] Warn once if `eval` is disabled in dev environment #35661

[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon commented Jan 30, 2026 •

edited

Loading

react-sizebot commented Jan 30, 2026 •

edited

Loading