functionNewCalls

Reports using the Function constructor to create functions from strings.

✅ This rule is included in the ts logical presets.

Using the Function constructor to create functions from strings is similar to eval() and introduces security risks and performance issues. Code passed to the Function constructor is executed in the global scope, making it harder to optimize and potentially allowing arbitrary code execution if user input is involved.

const 
const add: Function
add = new 
var Function: FunctionConstructor
new (...args: string[]) => Function
Creates a new function.
@param ― args A list of arguments the function accepts.
Function("a", "b", "return a + b");

const 
const multiply: Function
multiply = 
var Function: FunctionConstructor
(...args: string[]) => Function
Creates a new function.
Function("x", "y", "return x * y");

const 
const greet: Function
greet = new 
module globalThis
globalThis.
var Function: FunctionConstructor
new (...args: string[]) => Function
Creates a new function.
@param ― args A list of arguments the function accepts.
Function("name", "return 'Hello, ' + name");

const 
const add: (a: any, b: any) => any
add = function (
a: any
a, 
b: any
b) {
  return 
a: any
a + 
b: any
b;
};

const 
const multiply: (x: any, y: any) => number
multiply = (
x: any
x, 
y: any
y) => 
x: any
x * 
y: any
y;

function 
function greet(name: any): string
greet(
name: any
name) {
  return "Hello, " + 
name: any
name;
}

Options

This rule is not configurable.

When Not To Use It

If you have a legitimate need to dynamically generate functions from strings at runtime and have properly sanitized all inputs, you might choose to disable this rule. However, in most cases there are safer alternatives to achieve the same goal.

Equivalents in Other Linters

ESLint: no-new-func
Oxlint: eslint/no-new-func

Made with ❤️‍🔥 around the world by the Flint team and contributors.

functionNewCalls

Examples

Options

When Not To Use It

Further Reading

Equivalents in Other Linters