Is there any way to allow for eval() on a worker?
I understand that there are serious security issues with using eval() as a general rule. My problem is that I'm using a library called
serialize-javascript to be able to stringify structures beyond what JSON.stringify(). Specifically, serialize-javascript allows for serializing dates, maps, sets, functions, regex and bigint. However, it doesn't provide any deserialize method, and simple states to use eval(). Which works perfectly well and has for years... but trying to port my db wrapper to a worker-supported version has cause me a fair share of grief.
I would rather not remove functionality from my module due to this limitation, though I do understand that the distinction is that the context of running in a worker means we're not only dependendent on the user's system and security, but yours.5 Replies
It's not possible on the Workers platform.
At best, you can run a JS engine with WebAssembly but that comes with it's own drawbacks and slowness.
Guess those features are coming out then! Thanks 😄
Depending on whether you've got existing systems depending on
serialize-javascript, you could try out an alternative like https://github.com/Rich-Harris/devalue that doesn't require eval (specifically the stringify and parse functions). We've had good success with that library in Miniflare. 👍
There's also a See also section at the bottom of that readme with a bunch of other similar libraries.Oh this looks great! It doesn't do functions, but I guess that's basically the only thing that truly requires eval() to work as expected. And I'm alright with not storing functions specifically in a database. Thank you! ^_^