eslint-plugin-security | ESLint rules for Node Security | Code Analyzer library

You could do:

Solved it by changing the eslint file to the following:

It is my problem too. I have also created an issue for that on its repository,

The error occurs when eslint faces any Query.prototype.exec() in the code that is namesake with child_process.exec() method of Node.js.

There is a possible solution to this problem which I have described here, But it's still open and I have no other idea how to fix it another and/or better way.

In our case we were setting the draco decoder path to:

https://www.gstatic.com/draco/v1/decoders/

by calling:

this.dracoLoader.setDecoderPath("https://www.gstatic.com/draco/v1/decoders/");

But their recommended way is specifying the version in the URL:

https://www.gstatic.com/draco/versioned/decoders/1.4.3/

They released a new version yesterday, which explains the sudden errors: https://github.com/google/draco/releases/tag/1.4.3

Changing to the versioned URL fixed it for us. Another fix that worked was using JS instead of Webassembly:

this.dracoLoader.setDecoderConfig({ type: "js" });

Don't put too much trust into these automated checks. They might detect common mistake patterns, but not every warning necessarily means that a regex can run into catastrophic backtracking, and I'd go out on a limb and say that regex are too complex to ever get a definitive answer on that from an automated tool.

The two expressions you show are equivalent, the second one just happens to not trip the wire. I don't think that either is unsafe.

The problem is that the .constructor of a class is Function, and calling the Function constructor with a string creates a function from that string, and then calling that function results in the string's code being executed: