Use of eval is strongly discouraged

[autoferrit]

I installed gray-matter to use with svelte/sapper, and once I did, I started getting this error message in my console.

> sapper dev

✔ client (1.0s)
✔ service worker (1.7s)
• server
Use of eval is strongly discouraged, as it poses security risks and may cause issues with minification
41:         str = '(function() {\nreturn ' + str.trim() + ';\n}());';
42:       }
43:       return eval(str) || {};
                 ^
44:     } catch (err) {
45:       if (wrap !== false && /(unexpected|identifier)/i.test(err.message)) {
> Listening on http://localhost:3000

The app still seems to work. But is there a way I can silence this? Or is there a way to do the same thing without using eval? As using it definitely can be a security risk.

[robertmassaioli]

The only way that a security issue could arise is if:

1. You used the javascript engine. AND
2. You let people using your service provide that input into gray-matter.

I'm not sure if there is another way to do what that engine does without eval since the purpose of the engine seems to be "evaluate javascript". I'll let @jonschlinkert comment further.

[jonschlinkert]

@robertmassaioli is correct. This is an opt-in feature. I don’t see how anyone would be able to abuse this unless you intentionally let them.

[ghost]

@autoferrit, I end up using Front-matter.

[autoferrit]

Yea, that makes sense. Is there a configuration to be able to hide this?