warn about direct "eval" in an esm file

evanw · Mar 1, 2021 · 2a371b6 · 2a371b6
1 parent ae56ba8
commit 2a371b6
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -57,6 +57,29 @@
 
     1. Direct `eval` is no longer guaranteed to be able to access imported symbols. This means imported symbols may be renamed or removed as dead code even though a call to direct `eval` could theoretically need to access them. If you need this to work, you'll have to store the relevant imports in a variable in a nested scope and move the call to direct `eval` into that nested scope.
 
+    2. Using direct `eval` in a file in ESM format is now a warning. This is because the semantics of direct `eval` are poorly understood (most people don't intend to use direct `eval` at all) and because the negative consequences of bundling code with direct `eval` are usually unexpected and undesired. Of the few valid use cases for direct `eval`, it is usually a good idea to rewrite your code to avoid using direct `eval` in the first place.
+
+        For example, if you write code that looks like this:
+
+        ```js
+        export function runCodeWithFeatureFlags(code) {
+          let featureFlags = {...}
+          eval(code) // "code" should be able to access "featureFlags"
+        }
+        ```
+
+        you should almost certainly write the code this way instead:
+
+        ```js
+        export function runCodeWithFeatureFlags(code) {
+          let featureFlags = {...}
+          let fn = new Function('featureFlags', code)
+          fn(featureFlags)
+        }
+        ```
+
+        This still gives `code` access to `featureFlags` but avoids all of the negative consequences of bundling code with direct `eval`.
+
 ## 0.8.53
 
 * Support chunk and asset file name templates ([#733](https://github.com/evanw/esbuild/issues/733), [#888](https://github.com/evanw/esbuild/issues/888))

diff --git a/internal/js_parser/js_parser.go b/internal/js_parser/js_parser.go
@@ -11248,6 +11248,15 @@ func (p *parser) visitExprInOut(expr js_ast.Expr, in exprIn) (js_ast.Expr, exprO
 					for s := p.currentScope; s != nil; s = s.Parent {
 						s.ContainsDirectEval = true
 					}
+
+					// Warn when direct eval is used in a file with ES6 import statements.
+					// There is no way we can guarantee that this will work correctly.
+					// Except don't warn when this code is in a 3rd-party library because
+					// there's nothing people will be able to do about the warning.
+					if p.options.mode == config.ModeBundle && p.es6ImportKeyword.Len > 0 && !p.options.suppressWarningsAboutWeirdCode {
+						p.log.AddRangeWarning(&p.source, js_lexer.RangeOfIdentifier(p.source, e.Target.Loc),
+							"Using direct eval with a bundler is not recommended and may cause problems (more info: https://esbuild.github.io/link/direct-eval)")
+					}
 				}
 			}
 		}