impliedEvals

Reports using string arguments in setTimeout, setInterval, setImmediate, execScript, or the Function constructor.

✅ This rule is included in the ts logical and logicalStrict presets.

JavaScript’s eval() function is generally discouraged because it executes arbitrary strings as code, making programs harder to analyze and creating potential security vulnerabilities. Several other APIs similarly evaluate strings as code:

setTimeout() and setInterval() accept a string as their first argument
setImmediate() accepts a string as its first argument
execScript() (Internet Explorer only) accepts a string
The Function constructor creates functions from strings

These “implied evals” have the same problems as eval(): they’re difficult to analyze statically, prevent many optimizations, and can introduce security risks if the string contains untrusted content.


function setTimeout(handler: TimerHandler, timeout?: number, ...arguments: any[]): number (+2 overloads)
MDN Reference
setTimeout("alert('Hello');", 1000);


function setInterval(handler: TimerHandler, timeout?: number, ...arguments: any[]): number (+2 overloads)
MDN Reference
setInterval("counter++;", 100);

const 
const code: "console.log('executed');"
code = "console.log('executed');";
function setTimeout(handler: TimerHandler, timeout?: number, ...arguments: any[]): number (+2 overloads)
MDN Reference
setTimeout(
const code: "console.log('executed');"
code, 0);

new 
var Function: FunctionConstructor
new (...args: string[]) => Function
Creates a new function.
@param ― args A list of arguments the function accepts.
Function("a", "b", "return a + b");


var window: Window & typeof globalThis
The window property of a Window object points to the window object itself.
MDN Reference
window.
function setTimeout(handler: TimerHandler, timeout?: number, ...arguments: any[]): number (+2 overloads)
MDN Reference
setTimeout("doSomething()", 100);


function setTimeout<[]>(callback: () => void, delay?: number): NodeJS.Timeout (+2 overloads)
Schedules execution of a one-time callback after delay milliseconds.
The callback will likely not be invoked in precisely delay milliseconds.
Node.js makes no guarantees about the exact timing of when callbacks will fire,
nor of their ordering. The callback will be called as close as possible to the
time specified.
When delay is larger than 2147483647 or less than 1 or NaN, the delay
will be set to 1. Non-integer delays are truncated to an integer.
If callback is not a function, a TypeError will be thrown.
This method has a custom variant for promises that is available using
timersPromises.setTimeout().
@since ― v0.0.1
@param ― callback The function to call when the timer elapses.
@param ― delay The number of milliseconds to wait before calling the
callback. Default: 1.
@param ― args Optional arguments to pass when the callback is called.
@returns ― for use with clearTimeout()
setTimeout(() => {
  
function alert(message?: any): void
window.alert() instructs the browser to display a dialog with an optional message, and to wait until the user dismisses the dialog.
MDN Reference
alert("Hello");
}, 1000);


function setInterval<[]>(callback: () => void, delay?: number): NodeJS.Timeout (+2 overloads)
Schedules repeated execution of callback every delay milliseconds.
When delay is larger than 2147483647 or less than 1 or NaN, the delay
will be set to 1. Non-integer delays are truncated to an integer.
If callback is not a function, a TypeError will be thrown.
This method has a custom variant for promises that is available using
timersPromises.setInterval().
@since ― v0.0.1
@param ― callback The function to call when the timer elapses.
@param ― delay The number of milliseconds to wait before calling the
callback. Default: 1.
@param ― args Optional arguments to pass when the callback is called.
@returns ― for use with clearInterval()
setInterval(() => {
  
let counter: number
counter++;
}, 100);


function setTimeout<[]>(callback: () => void, delay?: number): NodeJS.Timeout (+2 overloads)
Schedules execution of a one-time callback after delay milliseconds.
The callback will likely not be invoked in precisely delay milliseconds.
Node.js makes no guarantees about the exact timing of when callbacks will fire,
nor of their ordering. The callback will be called as close as possible to the
time specified.
When delay is larger than 2147483647 or less than 1 or NaN, the delay
will be set to 1. Non-integer delays are truncated to an integer.
If callback is not a function, a TypeError will be thrown.
This method has a custom variant for promises that is available using
timersPromises.setTimeout().
@since ― v0.0.1
@param ― callback The function to call when the timer elapses.
@param ― delay The number of milliseconds to wait before calling the
callback. Default: 1.
@param ― args Optional arguments to pass when the callback is called.
@returns ― for use with clearTimeout()
setTimeout(
const myCallback: () => void
myCallback, 0);

const 
const add: (a: number, b: number) => number
add = (
a: number
a: number, 
b: number
b: number) => 
a: number
a + 
b: number
b;


function setTimeout<[]>(callback: () => void, delay?: number): NodeJS.Timeout (+2 overloads)
Schedules execution of a one-time callback after delay milliseconds.
The callback will likely not be invoked in precisely delay milliseconds.
Node.js makes no guarantees about the exact timing of when callbacks will fire,
nor of their ordering. The callback will be called as close as possible to the
time specified.
When delay is larger than 2147483647 or less than 1 or NaN, the delay
will be set to 1. Non-integer delays are truncated to an integer.
If callback is not a function, a TypeError will be thrown.
This method has a custom variant for promises that is available using
timersPromises.setTimeout().
@since ― v0.0.1
@param ― callback The function to call when the timer elapses.
@param ― delay The number of milliseconds to wait before calling the
callback. Default: 1.
@param ― args Optional arguments to pass when the callback is called.
@returns ― for use with clearTimeout()
setTimeout(
const handler: () => void
handler.
CallableFunction.bind<() => void>(this: () => void, thisArg: unknown): () => void (+1 overload)
For a given function, creates a bound function that has the same body as the original function.
The this object of the bound function is associated with the specified object, and has the specified initial parameters.
@param ― thisArg The object to be used as the this object.
bind(
const context: Record<string, unknown>
context), 100);

Options

This rule is not configurable.

When Not To Use It

If you have a specific use case that requires dynamic code evaluation and you’ve carefully considered the security implications, you might disable this rule for those specific instances. For example, certain build tools or code playgrounds may legitimately need to use these APIs with string arguments. Consider using Flint disable comments for those specific lines rather than disabling the rule entirely.

Equivalents in Other Linters

ESLint: no-implied-eval@typescript-eslint/no-implied-eval
Oxlint: typescript/no-implied-eval

Made with ❤️‍🔥 around the world by the Flint team and contributors.

impliedEvals

Examples

Options

When Not To Use It

Further Reading

Equivalents in Other Linters