NOT so safe eval

[ChrisCinelli]

I was looking at patriksimek/vm2#32 - The implementation in vm2 have patched a lot of vulnerabilities but there are a ton of problems because of trying to prevent all backdoors.

According to patriksimek/vm2#32 (comment) the only way to fix this class of vulnerabilities is completely disabling eval with a C++ addon. And in the best case scenario you are still vulnerable to DoD attacks.

The code of safe-eval is way too simple. #15 is a futile effort.

I just think that the name of this module is misleading. People may think (like I was) that safe-eval is reasonable secure but it is far from the truth.

In my humble opinion, safe-eval should just marked as vulnerable and the README.md should have a very noticeable disclaimer about not being safe.

[mgttt]

(
delete(this.constructor.constructor),delete(this.constructor),
this.constructor.constructor("return process")()
)

[drj-io]

any known safe alternatives to this module for scoped evals?