No it’s not.

simonreiff · 2026-03-15T16:52:30 1773593550

OWASP disagrees: See https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Securi..., listing `eval()` first in its small list of examples of "JavaScript functions that are dangerous and should only be used where necessary or unavoidable". I'm unaware of any such uses, myself. I can't think of any scenario where I couldn't get what I wanted by using some combination of `vm`, the `Function` constructor, and a safe wrapper around `JSON.parse()` to do anything I might have considered doing unsafely with `eval()`. Yes, `eval()` is a blatant red flag and definitely should be avoided.

jacquesm · 2026-03-15T17:24:57 1773595497

While there are valid use cases for eval they are so rare that it should be disabled by default and strongly discouraged as a pattern. Only in very rare cases is eval the right choice and even then it will be fraught with risk.

godelski · 2026-03-15T19:11:12 1773601872

The parent didn't say "there's no legitimate uses of eval", they said "using eval should make people pay more attention." A red flag is a warning. An alert. Not a signal saying "this is 100% no doubt malicious code."

Yes, it's a red flag. Yes, there's legitimate uses. Yes, you should always interrogate evals more closely. All these are true

pavel_lishin · 2026-03-15T16:27:41 1773592061

When is an eval not at least a security "code smell"?

SahAssar · 2026-03-15T16:27:20 1773592040

It really is. There are very few proper use-cases for eval.

nswango · 2026-03-15T17:36:22 1773596182

For a long time the standard way of loading JSON was using eval.

bawolff · 2026-03-15T19:52:01 1773604321

Not that long, browsers implemented JSON.parse() back in 2009. JSON was only invented back in 2001 and took a while to become popular. It was a very short window more than a decade ago when eval made sense here.

Eval for json also lead to other security issues like XSSI.

creatonez · 2026-03-15T21:25:56 1773609956

Problem is, it took until around 2016 for IE6 to be fully dead, so people continued to justify these hacks for a long time. Horrifying times.

_flux · 2026-03-15T18:04:55 1773597895

And why do we not anymore make use of it, but instead implemented separate JSON loading functionality in JavaScript? Can you think of any reasons beyond performance?

bawolff · 2026-03-15T19:47:50 1773604070

I'd be surprised if there is a performance benefit of processing json with eval(). Browsers optimize the heck out of JSON.

fhars · 2026-03-15T21:12:59 1773609179

You are arguing against the opposite of what the comment you answered to said.

bawolff · 2026-03-16T05:43:03 1773639783

Am i? "Can you think of any reasons beyond performance?" implies that the comment author thinks performance would be a valid reason.

_flux · 2026-03-16T09:01:03 1773651663

Quoting my original message:

> And why do we not anymore make use of it, but instead implemented separate JSON loading functionality in JavaScript?

In other words: I'm asking for reasons why was native JSON JavaScript module created, if we already had eval.

> Can you think of any reasons beyond performance?

One of the reasons is that native JSON parser is faster than eval: give some other reason.

bulbar · 2026-03-15T18:42:51 1773600171

Why did you opt in for such a comment while a straight forward response without belittling tone would have achieved the same?

_flux · 2026-03-15T18:47:04 1773600424

I actually gave it some thought. I had written the actual reason first, but I realized that the person I was responding to must know this, yet keeps arguing in that eval is just fine.

I would say they are arguing that in bad faith, so I wanted to enter a dialogue where they are either forced to agree, or more likely, not respond at all.

creatonez · 2026-03-15T21:15:59 1773609359

For IE7 support, yes... https://caniuse.com/mdn-javascript_builtins_json_parse