11 comments

[ 5.8 ms ] story [ 31.2 ms ] thread
Nice to read. I wrote a JS evaluator for a low code product and the whole thing feels quite natural to use JS as the scripting language for a low code product. Well done!
Nice work!

This reminded me to a series of posts by Figma in which they described how their JS plugin system works [1].

I remember there were plenty of security reasons why eval was not the best way to go. I wonder if you guys took this into account?

[1] https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...

Nice article. It was one of the inspirations of the first version of the evaluation workflow. We actually have eval running in global context always with just a select items being injected inside eval to ensure security. Also this happens inside a web worker so the scope of global actions a malicious script can take reduces drastically
Fairly certain you don't want to be throwing `eval` in your code.

I'm also building a workflow engine on the side, but don't want to see you run into security issues :)

Look into the realms TC39 proposal, the SES TC39 proposal, or running (no joke) a lightweight ES6 environment in webassembly to eval your code.

https://github.com/tc39/proposal-realms/#ecmascript-spec-pro...

https://github.com/tc39/proposal-ses

https://github.com/justjake/quickjs-emscripten

> you don't want to be throwing `eval` in your code

Unless you have generated the JS code yourself, in which case it is safe.

What kind of perf are you getting with QuickJS? If you have to evaluate an expression 10,000 times is QuickJS at least half as quick as eval?

True. Though I'd err on the side of caution in case someone in the team makes a PR to enable templating or user data somewhere that uses this code under the hood. Currently working in healthcare, so it's safest to work under the assumption of "don't introduce anything unsafe if possible, even if we know data is sanitized by us". Just in case one day that data is _not_ supplied by us.

RE. perf, I initially used Realms and it was fine. Right now I'm using wasm for templating and cuelang parsing - the speed is _good enough_ for the current UI, though I haven't really done strict performance testing yet, being honest :(

Author here. We have experimented with Realms in the past and had a working version for some time. Also did some POC with quickjs. In both scenarios, we saw performance degrade a lot.. So our current eval is run actually in the web worker so we take extra precautions to avoid leaking any problem some browser api inside the eval context. I like the idea of having a wasm eval environment as well, will experiment with that soon. Thanks for the tips :)
What's the downside of calling eval in the client?
looks nice, similar to retool.
I love the idea of web workers. I struggle to find a use case that isn't limited by serialization/deserialization.

AFAIK, workers are strings in and strings out. Often serialization is the most expensive operation, so adding additional serialization/deserialization steps can decrease performance overall.

The only use case I can imagine that would really benefit is computation-heavy with minimal input/output.

Until there is safe shared memory (please correct me if I'm wrong) I don't see many compelling use cases for web workers.