I reported it because of portability issue, not because of security. The probelm is the implementation relies on the API surface that are often prohibited.
Prohibiting eval is a host’s decision and cannot be bypassed by user script. In the context of prohibiting eval , new Function is also prohibited. eval itself is not the actual problem.
safe-eval is just a wrapper that creates an isolated context with the Node.js’ vm API and is not an alternative. If it can be a solution, there are standard methods; ShadowRealm rather than Node-only solution.