feat(linter/eslint): implement no-implied-eval rule#22391
Merged
Conversation
bb0a030 to
54c388a
Compare
Contributor
Author
|
@codex review, use the repository skill $performance-lint-rules |
|
Codex Review: Didn't find any major issues. What shall we delve into next? ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
54c388a to
3aba3fd
Compare
Merging this PR will not alter performance
Comparing 
Footnotes
|
camc314
pushed a commit
that referenced
this pull request
May 18, 2026
# Oxlint ### 🚀 Features - 1ae291e linter/no-underscore-dangle: Add `allowInUsingDeclarations` option (#22483) (吴杨帆) - 0440b0f linter/eslint: Implement `id-match` rule (#22379) (Vladislav Sayapin) - 65bf119 linter: Implement react no-object-type-as-default-prop (#22481) (uhyo) - 2a6ddce linter/eslint: Implement `no-implied-eval` rule (#22391) (Vladislav Sayapin) - d3a3c1d linter: Auto detect agents from CLI and transition to the agent output format (#22068) (Jovi De Croock) - 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#21788) (kapobajza) - 37680b0 linter: Implement react no-unstable-nested-components (#22248) (Jovi De Croock) - d8d9c74 linter: Implement import/newline-after-import rule (#19142) (Ryuya Yanagi) ### 🐛 Bug Fixes - 3f59e03 linter: Only call rayon/miette/tracing inits once (#21899) (Matiss Janis Aboltins) - 602dfd6 linter/promise/no-return-wrap: Detect Promise calls in all branches (#22474) (zennnnnnn11) - e182aee linter: Allow dialogs and popovers for no_autofocus (#22289) (mehm8128) - 7ffb710 linter/jest/vitest: Jest/no-standalone-expect ignores additionalTestBlockFunctions option for jest/vitest hooks (#22477) (kapobajza) - c6f2d3f linter: Add more expression support for iframe-has-title (#22460) (mehm8128) - 5747ff1 linter: Avoid enabling jest with vitest plugin (#22499) (camc314) - 863984f linter/no-find-dom-node: Run on all files (#22479) (bab) ### ⚡ Performance - 2afef79 linter: Optimize `no-loop-func` (#22491) (camchenry) - 4c9ca72 oxlint: Align walker thread count with rayon pool (#22494) (Boshen) ### 📚 Documentation - f7967c7 linter/id-match: Clarify `onlyDeclarations` config docs (#22523) (camc314) - 1e0c97f linter: Fix closing code block in documentation for `padding-around-after-all-blocks` rule. (#22513) (connorshea) - a9049fd linter: Exclude directly provide autoFocus to dialog pattern (#22510) (mehm8128) # Oxfmt ### 🐛 Bug Fixes - 8ee946f formatter/sort_imports: Use label to classify lines (#22512) (leaysgur) - 8c1da44 formatter: Normalize destructuring keys in DCR (#22478) (camc314)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the
eslint/no-implied-evalrule, which disallows string-evaluating calls throughsetTimeout,setIntervalandexecScriptIt supports direct global calls, member calls through global objects such as
window,global,globalThis, andself, repeated global-object chains, static computed properties, optional chaining, shadowing/import handling, and statically known string argumentsESLint ref: https://eslint.org/docs/latest/rules/no-implied-eval
Issue: #479
Algorithmic Complexity
The rule runs only on
CallExpressionnodesOrdinary non-target calls return in
O(1)Global-object member matching is
O(H), whereHis member-chain depthString argument detection runs only after a target callee is found
Static argument analysis is intentionally small: it handles syntactic string expressions, initialized bindings, direct global
String(...)/Date(),typeof, and sequence expressionsIdentifier initialization recursion is bounded
The hot path avoids regexes and heap allocations
Notes
Callee/global-object matching follows ESLint behavior: direct globals,
window/global/globalThis/self, repeated same-name chains, static computed properties, optional chaining, and shadowing/import handlingOxlint is intentionally stricter for cheap string-producing arguments such as
String(foo),Date(),typeof foo, and initializedlet/varstringsThis follows maintainer feedback for this security-oriented rule and avoids full flow/type analysis
The rule also unwraps TypeScript-only expression wrappers such as
as,satisfies,!, type assertions, and instantiation expressionsIt does not try to follow timer aliases,
.call/.apply, dynamic property names, string methods, object/array property values, or broad constant foldingAI Disclosure
Claude Opus 4.7 & Codex GPT 5.5