Maintainability of “eval”

I agree with all the points made in the article: security is not a concern if you take proper precautions & performance can be improved by using code generation.

However, the biggest downside of code generation is code maintainability. It is a lot harder to scan the code for potential errors.

Consider the validation example that you have provided.

The plain JavaScript version:

The code generation version:

It easy to tell what is the intention of the first code fragment. It is impossible to tell what is the intention of the latter code without mentally compiling the to-be code.

Code obscurity is the primary cause of security vulnerabilities. This is the reason you often hear dynamic code generation as a culprit of security vulnerabilities. Inherently, eval is neither slow or non-secure. In fact, if you look into Node.js source code, you will learn that require is using vm to run all the code.

Tech / Product Founder — building https://contra.com/

Tech / Product Founder — building https://contra.com/