eval can be harmful. Open
eval(`evalResult = ${value}`)
- Read upRead up
- Exclude checks
Disallow eval() (no-eval)
JavaScript's eval()
function is potentially dangerous and is often misused. Using eval()
on untrusted code can open a program up to several different injection attacks. The use of eval()
in most contexts can be substituted for a better, alternative approach to a problem.
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
Rule Details
This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval()
function. As such, it will warn whenever the eval()
function is used.
Examples of incorrect code for this rule:
/*eslint no-eval: "error"*/
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
(0, eval)("var a = 0");
var foo = eval;
foo("var a = 0");
// This `this` is the global object.
this.eval("var a = 0");
Example of additional incorrect code for this rule when browser
environment is set to true
:
/*eslint no-eval: "error"*/
/*eslint-env browser*/
window.eval("var a = 0");
Example of additional incorrect code for this rule when node
environment is set to true
:
/*eslint no-eval: "error"*/
/*eslint-env node*/
global.eval("var a = 0");
Examples of correct code for this rule:
/*eslint no-eval: "error"*/
/*eslint-env es6*/
var obj = { x: "foo" },
key = "x",
value = obj[key];
class A {
foo() {
// This is a user-defined method.
this.eval("var a = 0");
}
eval() {
}
}
Options
This rule has an option to allow indirect calls to eval
.
Indirect calls to eval
are less dangerous than direct calls to eval
because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct eval
.
{
"no-eval": ["error", {"allowIndirect": true}] // default is false
}
Example of incorrect code for this rule with the {"allowIndirect": true}
option:
/*eslint no-eval: "error"*/
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
Examples of correct code for this rule with the {"allowIndirect": true}
option:
/*eslint no-eval: "error"*/
(0, eval)("var a = 0");
var foo = eval;
foo("var a = 0");
this.eval("var a = 0");
/*eslint no-eval: "error"*/
/*eslint-env browser*/
window.eval("var a = 0");
/*eslint no-eval: "error"*/
/*eslint-env node*/
global.eval("var a = 0");
Known Limitations
- This rule is warning every
eval()
even if theeval
is not global's. This behavior is in order to detect calls of directeval
. Such as:
module.exports = function(eval) {
// If the value of this `eval` is built-in `eval` function, this is a
// call of direct `eval`.
eval("var a = 0");
};
- This rule cannot catch renaming the global object. Such as:
var foo = window;
foo.eval("var a = 0");
Further Reading
Related Rules
- [no-implied-eval](no-implied-eval.md) Source: http://eslint.org/docs/rules/
Function 'listenForChanges' has a complexity of 9. Open
function listenForChanges () {
- Read upRead up
- Exclude checks
Limit Cyclomatic Complexity (complexity)
Cyclomatic complexity measures the number of linearly independent paths through a program's source code. This rule allows setting a cyclomatic complexity threshold.
function a(x) {
if (true) {
return x; // 1st path
} else if (false) {
return x+1; // 2nd path
} else {
return 4; // 3rd path
}
}
Rule Details
This rule is aimed at reducing code complexity by capping the amount of cyclomatic complexity allowed in a program. As such, it will warn when the cyclomatic complexity crosses the configured threshold (default is 20
).
Examples of incorrect code for a maximum of 2:
/*eslint complexity: ["error", 2]*/
function a(x) {
if (true) {
return x;
} else if (false) {
return x+1;
} else {
return 4; // 3rd path
}
}
Examples of correct code for a maximum of 2:
/*eslint complexity: ["error", 2]*/
function a(x) {
if (true) {
return x;
} else {
return 4;
}
}
Options
Optionally, you may specify a max
object property:
"complexity": ["error", 2]
is equivalent to
"complexity": ["error", { "max": 2 }]
Deprecated: the object property maximum
is deprecated. Please use the property max
instead.
When Not To Use It
If you can't determine an appropriate complexity limit for your code, then it's best to disable this rule.
Further Reading
Related Rules
- [max-depth](max-depth.md)
- [max-len](max-len.md)
- [max-nested-callbacks](max-nested-callbacks.md)
- [max-params](max-params.md)
- [max-statements](max-statements.md) Source: http://eslint.org/docs/rules/
Arrow function has a complexity of 7. Open
socket.emit( newMessage.eventName, ...newMessage.message.map( m => {
- Read upRead up
- Exclude checks
Limit Cyclomatic Complexity (complexity)
Cyclomatic complexity measures the number of linearly independent paths through a program's source code. This rule allows setting a cyclomatic complexity threshold.
function a(x) {
if (true) {
return x; // 1st path
} else if (false) {
return x+1; // 2nd path
} else {
return 4; // 3rd path
}
}
Rule Details
This rule is aimed at reducing code complexity by capping the amount of cyclomatic complexity allowed in a program. As such, it will warn when the cyclomatic complexity crosses the configured threshold (default is 20
).
Examples of incorrect code for a maximum of 2:
/*eslint complexity: ["error", 2]*/
function a(x) {
if (true) {
return x;
} else if (false) {
return x+1;
} else {
return 4; // 3rd path
}
}
Examples of correct code for a maximum of 2:
/*eslint complexity: ["error", 2]*/
function a(x) {
if (true) {
return x;
} else {
return 4;
}
}
Options
Optionally, you may specify a max
object property:
"complexity": ["error", 2]
is equivalent to
"complexity": ["error", { "max": 2 }]
Deprecated: the object property maximum
is deprecated. Please use the property max
instead.
When Not To Use It
If you can't determine an appropriate complexity limit for your code, then it's best to disable this rule.
Further Reading
Related Rules
- [max-depth](max-depth.md)
- [max-len](max-len.md)
- [max-nested-callbacks](max-nested-callbacks.md)
- [max-params](max-params.md)
- [max-statements](max-statements.md) Source: http://eslint.org/docs/rules/
Function listenForChanges
has a Cognitive Complexity of 14 (exceeds 5 allowed). Consider refactoring. Open
function listenForChanges () {
const state = getState()
const id = this
const storedConnection = storedConnections[id]
const connection = state.connections.list[state.connections.connections[id].index]
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Function listenForChanges
has 40 lines of code (exceeds 25 allowed). Consider refactoring. Open
function listenForChanges () {
const state = getState()
const id = this
const storedConnection = storedConnections[id]
const connection = state.connections.list[state.connections.connections[id].index]
Function subscribeSendMessageListener
has 30 lines of code (exceeds 25 allowed). Consider refactoring. Open
function subscribeSendMessageListener () {
let previousState = store.getState().sentMessages
store.subscribe(function () {
Function compareLists
has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
function compareLists (list1, list2) {
const difference = []
let event
let exists
for ( let x = 0, l = list1.length; x < l; x++ ) {
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Unexpected lexical declaration in case block. Open
case 'Array':
- Read upRead up
- Exclude checks
Disallow lexical declarations in case/default clauses (no-case-declarations)
This rule disallows lexical declarations (let
, const
, function
and class
)
in case
/default
clauses. The reason is that the lexical declaration is visible
in the entire switch block but it only gets initialized when it is assigned, which
will only happen if the case where it is defined is reached.
To ensure that the lexical declaration only applies to the current case clause wrap your clauses in blocks.
Rule Details
This rule aims to prevent access to uninitialized lexical bindings as well as accessing hoisted functions across case clauses.
Examples of incorrect code for this rule:
/*eslint no-case-declarations: "error"*/
/*eslint-env es6*/
switch (foo) {
case 1:
let x = 1;
break;
case 2:
const y = 2;
break;
case 3:
function f() {}
break;
default:
class C {}
}
Examples of correct code for this rule:
/*eslint no-case-declarations: "error"*/
/*eslint-env es6*/
// Declarations outside switch-statements are valid
const a = 0;
switch (foo) {
// The following case clauses are wrapped into blocks using brackets
case 1: {
let x = 1;
break;
}
case 2: {
const y = 2;
break;
}
case 3: {
function f() {}
break;
}
case 4:
// Declarations using var without brackets are valid due to function-scope hoisting
var z = 4;
break;
default: {
class C {}
}
}
When Not To Use It
If you depend on fall through behavior and want access to bindings introduced in the case block.
Related Rules
- [no-fallthrough](no-fallthrough.md) Source: http://eslint.org/docs/rules/
TODO found Open
// TODO all events that were added previously need to be added to the new socket
- Exclude checks
Irregular whitespace not allowed. Open
let namespace = connection.namespace || ''
- Read upRead up
- Exclude checks
disallow irregular whitespace (no-irregular-whitespace)
Invalid or irregular whitespace causes issues with ECMAScript 5 parsers and also makes code harder to debug in a similar nature to mixed tabs and spaces.
Various whitespace characters can be inputted by programmers by mistake for example from copying or keyboard shortcuts. Pressing Alt + Space on OS X adds in a non breaking space character for example.
Known issues these spaces cause:
- Zero Width Space
- Is NOT considered a separator for tokens and is often parsed as an
Unexpected token ILLEGAL
- Is NOT shown in modern browsers making code repository software expected to resolve the visualisation
- Is NOT considered a separator for tokens and is often parsed as an
- Line Separator
- Is NOT a valid character within JSON which would cause parse errors
Rule Details
This rule is aimed at catching invalid whitespace that is not a normal tab and space. Some of these characters may cause issues in modern browsers and others will be a debugging issue to spot.
This rule disallows the following characters except where the options allow:
\u000B - Line Tabulation (\v) - <vt>
\u000C - Form Feed (\f) - <ff>
\u00A0 - No-Break Space - <nbsp>
\u0085 - Next Line
\u1680 - Ogham Space Mark
\u180E - Mongolian Vowel Separator - <mvs>
\ufeff - Zero Width No-Break Space - <bom>
\u2000 - En Quad
\u2001 - Em Quad
\u2002 - En Space - <ensp>
\u2003 - Em Space - <emsp>
\u2004 - Tree-Per-Em
\u2005 - Four-Per-Em
\u2006 - Six-Per-Em
\u2007 - Figure Space
\u2008 - Punctuation Space - <puncsp>
\u2009 - Thin Space
\u200A - Hair Space
\u200B - Zero Width Space - <zwsp>
\u2028 - Line Separator
\u2029 - Paragraph Separator
\u202F - Narrow No-Break Space
\u205f - Medium Mathematical Space
\u3000 - Ideographic Space</zwsp></puncsp></emsp></ensp></bom></mvs></nbsp></ff></vt>
Options
This rule has an object option for exceptions:
-
"skipStrings": true
(default) allows any whitespace characters in string literals -
"skipComments": true
allows any whitespace characters in comments -
"skipRegExps": true
allows any whitespace characters in regular expression literals -
"skipTemplates": true
allows any whitespace characters in template literals
skipStrings
Examples of incorrect code for this rule with the default { "skipStrings": true }
option:
/*eslint no-irregular-whitespace: "error"*/
function thing() /*<nbsp>*/{
return 'test';
}
function thing( /*<nbsp>*/){
return 'test';
}
function thing /*<nbsp>*/(){
return 'test';
}
function thing/*<mvs>*/(){
return 'test';
}
function thing() {
return 'test'; /*<ensp>*/
}
function thing() {
return 'test'; /*<nbsp>*/
}
function thing() {
// Description <nbsp>: some descriptive text
}
/*
Description <nbsp>: some descriptive text
*/
function thing() {
return / <nbsp>regexp/;
}
/*eslint-env es6*/
function thing() {
return `template <nbsp>string`;
}</nbsp></nbsp></nbsp></nbsp></nbsp></ensp></mvs></nbsp></nbsp></nbsp>
Examples of correct code for this rule with the default { "skipStrings": true }
option:
/*eslint no-irregular-whitespace: "error"*/
function thing() {
return ' <nbsp>thing';
}
function thing() {
return '<zwsp>thing';
}
function thing() {
return 'th <nbsp>ing';
}</nbsp></zwsp></nbsp>
skipComments
Examples of additional correct code for this rule with the { "skipComments": true }
option:
/*eslint no-irregular-whitespace: ["error", { "skipComments": true }]*/
function thing() {
// Description <nbsp>: some descriptive text
}
/*
Description <nbsp>: some descriptive text
*/</nbsp></nbsp>
skipRegExps
Examples of additional correct code for this rule with the { "skipRegExps": true }
option:
/*eslint no-irregular-whitespace: ["error", { "skipRegExps": true }]*/
function thing() {
return / <nbsp>regexp/;
}</nbsp>
skipTemplates
Examples of additional correct code for this rule with the { "skipTemplates": true }
option:
/*eslint no-irregular-whitespace: ["error", { "skipTemplates": true }]*/
/*eslint-env es6*/
function thing() {
return `template <nbsp>string`;
}</nbsp>
When Not To Use It
If you decide that you wish to use whitespace other than tabs and spaces outside of strings in your application.