Should grammar generation use eval?

[jeromesimeon]

I'm wondering if there is a better way to load the Nearly parser generated from the template grammar.

In addition complicating the security analysis, the corresponding code seems also quite brittle:
https://github.com/accordproject/cicero/blob/f79abd8c37d01def5e3525270e3889dc5a405c3e/packages/cicero-core/src/parsermanager.js#L421

E.g., The reliance on the module variable seems to trip certain versions of Babel.
The generated code for @babel/[email protected], the generated code is the intended:

      const module = (cov_23ep5x5niw.s[152]++, {
        exports: {}
      });
      cov_23ep5x5niw.s[153]++;
      eval(grammarJs);
      cov_23ep5x5niw.s[154]++;
      return module.exports;

While with @babel/[email protected] the code escapes the module variable to _module so the grammar is not extracted properly:

      var _module = (cov_23ep5x5niw.s[152]++, {
        exports: {}
      });

      cov_23ep5x5niw.s[153]++;
      eval(grammarJs);
      cov_23ep5x5niw.s[154]++;
      return _module.exports;

[jeromesimeon]

Note that there is an open issue on babel about this module question babel/babel#5718

[jeromesimeon]

The new parser no longer uses JavaScript eval for parser construction (or nearley for that matter)...

The corresponding module construction code is also gone.