[web-ext lint] The Function constructor is eval

Add-ons
1

I noticed that web-ext lint shows warnings even though I haven’t changed my code. I found out that the warnings appear after running the npm update command. Here are the original and updated package-lock.json files. Should I be concerned about this?

Steps to reproduce:

  1. git clone https://github.com/veto-firewall/veto
  2. npm install
  3. npm run web-ext:lint

Result: no warnings

  1. npm update
  2. npm run web-ext:lint

Result:

npm run web-ext:lint

> veto@2.2.6 web-ext:lint
> npm run build && cd dist && web-ext lint


> veto@2.2.6 prebuild
> npm run clean


> veto@2.2.6 clean
> rimraf dist


> veto@2.2.6 build
> webpack --mode production --config webpack.config.cjs

Validation Summary:

errors          0              
notices         0              
warnings        2              

WARNINGS:

Code             Message        File            Line   Column
DANGEROUS_EVAL   The Function   background.js   2      103648
                 constructor                                 
                 is eval.                                    
DANGEROUS_EVAL   The Function   popup.js        2      129273
                 constructor                                 
                 is eval.
2

Some libraries are using function constructor to get global this.

Try to look for these two in the “node_modules” folder, use IDE to search all JS files:

Function("return this")
Function('return this')

I did reported this a while back, but I don’t think it was implemented yet:

3

In my case, the warnings were caused by the update from StreamX 2.22.0 to 2.22.1. The warnings were gone after I downgraded to 2.22.0.

1 Like