safe-eval Sandbox Escaping

[64BitUniverse]

Is this going to be fixed? It is easy for people to exploit this with:

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");

Source: https://snyk.io/vuln/npm:safe-eval:20170830

[mvolkmann]

Supposedly version 0.4.1 of safe-eval fixes this.
Could you test this with that version and push a new version of google-translate-api if it works?
This is causing scary warnings every time google-translate-api is installed.

[Illizion]

Or just NOT USE SAFE-EVAL AT ALL?

[Illizion]

@matheuss that's always an option, that i think you should consider, since it provides nothing of use to the code, and creates a MAJOR security vulnerability. I would recommend you take action quickly.

[vorwieger]

Pull request #71 ("Use JSON.parse instead of safeEval") will solve this problem!