noImpliedEval

JavaScript (and super languages)

Caution

This rule is part of the nursery group. This means that it is experimental and the behavior can change at any time.

Summary

• Rule available since: v2.4.10
• Diagnostic Category: lint/nursery/noImpliedEval
• This rule doesn’t have a fix.
• The default severity of this rule is error.
• Sources:
  • Same as no-implied-eval
  • Same as @typescript-eslint/no-implied-eval

How to configure

biome.json

{
  "linter": {
    "rules": {
      "nursery": {
        "noImpliedEval": "error"
      }
    }
  }
}

Description

Disallow the use of eval()-like methods.

The eval() function evaluates the passed string as a JavaScript code. Calling setTimeout, setInterval, or setImmediate with a string argument is an implied eval() because the string is evaluated as code.

Using implied eval() is considered a bad practice because:

1. It exposes your code to security risks and performance issues
2. The code is evaluated in the global scope rather than the local scope
3. It prevents the JavaScript engine from optimizing the code

Examples

Invalid

setTimeout("alert('Hello world!');", 100);

code-block.js:1:1 lint/nursery/noImpliedEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ Implied eval() is not allowed.
  
  > 1 │ setTimeout(“alert(‘Hello world!’);”, 100);
      │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Passing strings to functions like setTimeout, setInterval, or setImmediate is a form of implied eval() and can lead to security and performance issues.
  
  ℹ Use a function instead of a string.
  
  ℹ This rule is still being actively worked on, so it may be missing features or have rough edges. Visit https://github.com/biomejs/biome/issues/8735 for more information or to report possible bugs.
  
  ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
  

setInterval("alert('Hello world!');", 100);

code-block.js:1:1 lint/nursery/noImpliedEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ Implied eval() is not allowed.
  
  > 1 │ setInterval(“alert(‘Hello world!’);”, 100);
      │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Passing strings to functions like setTimeout, setInterval, or setImmediate is a form of implied eval() and can lead to security and performance issues.
  
  ℹ Use a function instead of a string.
  
  ℹ This rule is still being actively worked on, so it may be missing features or have rough edges. Visit https://github.com/biomejs/biome/issues/8735 for more information or to report possible bugs.
  
  ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
  

setImmediate("alert('Hello world!');");

code-block.js:1:1 lint/nursery/noImpliedEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ Implied eval() is not allowed.
  
  > 1 │ setImmediate(“alert(‘Hello world!’);”);
      │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Passing strings to functions like setTimeout, setInterval, or setImmediate is a form of implied eval() and can lead to security and performance issues.
  
  ℹ Use a function instead of a string.
  
  ℹ This rule is still being actively worked on, so it may be missing features or have rough edges. Visit https://github.com/biomejs/biome/issues/8735 for more information or to report possible bugs.
  
  ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
  

window.setTimeout("count = 5", 10);

code-block.js:1:1 lint/nursery/noImpliedEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ Implied eval() is not allowed.
  
  > 1 │ window.setTimeout(“count = 5”, 10);
      │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Passing strings to functions like setTimeout, setInterval, or setImmediate is a form of implied eval() and can lead to security and performance issues.
  
  ℹ Use a function instead of a string.
  
  ℹ This rule is still being actively worked on, so it may be missing features or have rough edges. Visit https://github.com/biomejs/biome/issues/8735 for more information or to report possible bugs.
  
  ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
  

window.setInterval("foo = bar", 10);

code-block.js:1:1 lint/nursery/noImpliedEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ✖ Implied eval() is not allowed.
  
  > 1 │ window.setInterval(“foo = bar”, 10);
      │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Passing strings to functions like setTimeout, setInterval, or setImmediate is a form of implied eval() and can lead to security and performance issues.
  
  ℹ Use a function instead of a string.
  
  ℹ This rule is still being actively worked on, so it may be missing features or have rough edges. Visit https://github.com/biomejs/biome/issues/8735 for more information or to report possible bugs.
  
  ℹ This rule belongs to the nursery group, which means it is not yet stable and may change in the future. Visit https://biomejs.dev/linter/#nursery for more information.
  

Valid

setTimeout(function() {
    alert('Hello world!');
}, 100);

setInterval(() => {
    alert('Hello world!');
}, 100);

// setTimeout is shadowed by a local variable
function foo(setTimeout) {
    setTimeout("alert('Hello world!');", 100);
}

Resources

• MDN setTimeout() documentation
• MDN eval() documentation

Related links

• Disable a rule
• Configure the code fix
• Rule options
• Source Code
• Test Cases