Summary
function-bind uses the Function() constructor internally, which:
- Requires
unsafe-eval in Content Security Policy
- Prevents certain V8 optimizations in the containing scope
- Is flagged by security scanners (SonarCloud, ESLint no-new-func)
Meanwhile, Function.prototype.bind has been natively available since ES5 (2009) and works in every environment this package targets.
Suggestion
Consider adding a deprecation notice to the README and package.json:
"deprecated": "Use native Function.prototype.bind — available since ES5"
Context
This package has 92M weekly downloads, mostly as a transitive dependency. The native alternative is a single line:
module.exports = Function.prototype.bind;
We implemented this in @flupkejs/function-bind — same API, no Function() constructor, 1 LOC.
Summary
function-binduses theFunction()constructor internally, which:unsafe-evalin Content Security PolicyMeanwhile,
Function.prototype.bindhas been natively available since ES5 (2009) and works in every environment this package targets.Suggestion
Consider adding a deprecation notice to the README and package.json:
Context
This package has 92M weekly downloads, mostly as a transitive dependency. The native alternative is a single line:
We implemented this in @flupkejs/function-bind — same API, no
Function()constructor, 1 LOC.