[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon · 2026-01-30T11:59:53Z

Summary

Follow-up to #35650

React uses eval in development for Server Components and Server Functions to reconstruct callstacks from different environments. eval can be a legitimate security concern for production environments. It's oftentimes disabled e.g. in browsers via Content-Security-Policy.

If eval is disabled in development, those debugging features stop working. Without this change no warning was issued. Now we issue a warning with remedies depending on the environment.

For browsers, the CSP header needs to be adjusted. In Node.js, --disallow-code-generation-from-strings should not be used. In other environments (e.g. Bun), we don't have a tailored message since those environments don't have a dedicated API to disable eval.

If there are legit concerns about disabling eval in development this warning could be considered noise and we should revisit.

Note that we always warn once you use React Server or React Action APIs even though you may not need to reconstruct a callstack (e.g. no Components used or errors transported). I suspect this to be a rare use cases. Though being prepared for potential errors, isn't the worst idea.

How did you test this change?

added test for each tailored message

react-sizebot · 2026-01-30T12:47:46Z

Comparing: 64b4605...876bf8c

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	=	609.58 kB	609.58 kB	=	107.80 kB	107.80 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.84 kB	6.84 kB	=	1.88 kB	1.88 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	=	675.51 kB	675.51 kB	=	118.75 kB	118.75 kB
facebook-www/ReactDOM-prod.classic.js	=	695.14 kB	695.14 kB	=	122.19 kB	122.19 kB
facebook-www/ReactDOM-prod.modern.js	=	685.52 kB	685.52 kB	=	120.59 kB	120.59 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.development.js	+22.93%	2.51 kB	3.08 kB	+25.70%	0.86 kB	1.08 kB
oss-experimental/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable-semver/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
oss-stable/react-noop-renderer/cjs/react-noop-renderer-flight-client.production.js	+11.02%	2.09 kB	2.32 kB	+11.13%	0.78 kB	0.87 kB
test_utils/ReactAllWarnings.js	+1.41%	66.76 kB	67.70 kB	+1.30%	16.83 kB	17.05 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.75%	188.37 kB	189.78 kB	+1.11%	33.05 kB	33.42 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.75%	188.37 kB	189.78 kB	+1.11%	33.05 kB	33.42 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.node.development.js	+0.75%	188.37 kB	189.78 kB	+1.11%	33.05 kB	33.42 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.73%	190.28 kB	191.66 kB	+1.11%	33.17 kB	33.53 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.73%	190.28 kB	191.66 kB	+1.11%	33.17 kB	33.53 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.node.development.js	+0.73%	190.28 kB	191.66 kB	+1.11%	33.17 kB	33.53 kB
oss-experimental/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.72%	191.92 kB	193.31 kB	+1.06%	33.42 kB	33.78 kB
oss-stable-semver/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.72%	191.92 kB	193.31 kB	+1.06%	33.42 kB	33.78 kB
oss-stable/react-server-dom-unbundled/cjs/react-server-dom-unbundled-client.node.development.js	+0.72%	191.92 kB	193.31 kB	+1.06%	33.42 kB	33.78 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.72%	193.32 kB	194.71 kB	+1.06%	33.69 kB	34.05 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.72%	193.32 kB	194.71 kB	+1.06%	33.69 kB	34.05 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.node.development.js	+0.72%	193.32 kB	194.71 kB	+1.06%	33.69 kB	34.05 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.72%	193.35 kB	194.73 kB	+1.08%	33.70 kB	34.07 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.72%	193.35 kB	194.73 kB	+1.08%	33.70 kB	34.07 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.node.development.js	+0.72%	193.35 kB	194.73 kB	+1.08%	33.70 kB	34.07 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.60%	187.27 kB	188.41 kB	+0.95%	32.96 kB	33.27 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.60%	187.27 kB	188.41 kB	+0.95%	32.96 kB	33.27 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.edge.development.js	+0.60%	187.27 kB	188.41 kB	+0.95%	32.96 kB	33.27 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.60%	187.30 kB	188.43 kB	+0.96%	32.97 kB	33.29 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.60%	187.30 kB	188.43 kB	+0.96%	32.97 kB	33.29 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.edge.development.js	+0.60%	187.30 kB	188.43 kB	+0.96%	32.97 kB	33.29 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.59%	185.33 kB	186.43 kB	+1.09%	32.43 kB	32.78 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.59%	185.38 kB	186.48 kB	+1.09%	32.45 kB	32.80 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-client.browser.development.js	+0.59%	185.39 kB	186.49 kB	+1.09%	32.45 kB	32.81 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.56%	187.95 kB	188.99 kB	+1.02%	32.91 kB	33.25 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.56%	188.00 kB	189.04 kB	+1.02%	32.94 kB	33.28 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js	+0.56%	188.01 kB	189.06 kB	+1.03%	32.94 kB	33.28 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.55%	188.57 kB	189.62 kB	+1.03%	33.07 kB	33.41 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.55%	188.62 kB	189.67 kB	+1.03%	33.10 kB	33.44 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-client.browser.development.js	+0.55%	188.63 kB	189.68 kB	+1.03%	33.10 kB	33.44 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.51%	184.13 kB	185.06 kB	+0.87%	32.47 kB	32.75 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.51%	184.13 kB	185.06 kB	+0.87%	32.47 kB	32.75 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.edge.development.js	+0.51%	184.13 kB	185.06 kB	+0.87%	32.47 kB	32.75 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.50%	183.47 kB	184.40 kB	+1.05%	32.02 kB	32.36 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.50%	183.52 kB	184.45 kB	+1.05%	32.05 kB	32.38 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-client.browser.development.js	+0.50%	183.53 kB	184.46 kB	+1.05%	32.05 kB	32.39 kB
oss-stable-semver/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.43%	231.50 kB	232.48 kB	+0.74%	51.09 kB	51.46 kB
oss-stable/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.43%	231.52 kB	232.51 kB	+0.73%	51.11 kB	51.49 kB
oss-experimental/react-server-dom-esm/esm/react-server-dom-esm-client.browser.development.js	+0.43%	231.53 kB	232.51 kB	+0.73%	51.12 kB	51.49 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+0.33%	205.08 kB	205.75 kB	+0.81%	36.99 kB	37.29 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+0.33%	205.08 kB	205.75 kB	+0.81%	36.99 kB	37.29 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.browser.development.js	+0.32%	207.18 kB	207.85 kB	+0.81%	37.43 kB	37.74 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.32%	212.86 kB	213.53 kB	+0.81%	38.30 kB	38.61 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.32%	212.86 kB	213.53 kB	+0.81%	38.30 kB	38.61 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.31%	213.34 kB	214.01 kB	+0.81%	38.41 kB	38.72 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.31%	213.34 kB	214.01 kB	+0.81%	38.41 kB	38.72 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.browser.development.js	+0.31%	214.97 kB	215.64 kB	+0.81%	38.75 kB	39.06 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.browser.development.js	+0.31%	215.44 kB	216.11 kB	+0.79%	38.86 kB	39.17 kB
oss-stable-semver/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.30%	231.71 kB	232.41 kB	+0.75%	41.88 kB	42.20 kB
oss-stable/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.30%	231.71 kB	232.41 kB	+0.75%	41.88 kB	42.20 kB
oss-experimental/react-server-dom-esm/cjs/react-server-dom-esm-server.node.development.js	+0.30%	233.80 kB	234.50 kB	+0.75%	42.33 kB	42.65 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+0.29%	238.30 kB	239.00 kB	+0.76%	42.46 kB	42.78 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+0.29%	238.30 kB	239.00 kB	+0.76%	42.46 kB	42.78 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.node.development.js	+0.29%	240.39 kB	241.09 kB	+0.76%	42.92 kB	43.24 kB
oss-stable-semver/react-server-dom-unbundled/cjs/react-server-dom-unbundled-server.node.development.js	+0.29%	244.96 kB	245.66 kB	+0.77%	43.54 kB	43.87 kB
oss-stable/react-server-dom-unbundled/cjs/react-server-dom-unbundled-server.node.development.js	+0.29%	244.96 kB	245.66 kB	+0.77%	43.54 kB	43.87 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.29%	246.15 kB	246.85 kB	+0.72%	43.87 kB	44.18 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.29%	246.15 kB	246.85 kB	+0.72%	43.87 kB	44.18 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.29%	246.20 kB	246.91 kB	+0.72%	43.86 kB	44.18 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.29%	246.20 kB	246.91 kB	+0.72%	43.86 kB	44.18 kB
oss-experimental/react-server-dom-unbundled/cjs/react-server-dom-unbundled-server.node.development.js	+0.28%	247.05 kB	247.75 kB	+0.75%	44.01 kB	44.34 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js	+0.28%	248.24 kB	248.94 kB	+0.74%	44.33 kB	44.65 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.node.development.js	+0.28%	248.29 kB	249.00 kB	+0.70%	44.33 kB	44.64 kB
oss-stable-semver/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+0.27%	208.77 kB	209.33 kB	+0.60%	37.51 kB	37.73 kB
oss-stable/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+0.27%	208.77 kB	209.33 kB	+0.60%	37.51 kB	37.73 kB
oss-experimental/react-server-dom-parcel/cjs/react-server-dom-parcel-server.edge.development.js	+0.27%	210.86 kB	211.42 kB	+0.61%	37.94 kB	38.17 kB
oss-stable-semver/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.26%	216.66 kB	217.23 kB	+0.63%	38.81 kB	39.05 kB
oss-stable/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.26%	216.66 kB	217.23 kB	+0.63%	38.81 kB	39.05 kB
oss-stable-semver/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.26%	216.66 kB	217.23 kB	+0.62%	38.81 kB	39.06 kB
oss-stable/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.26%	216.66 kB	217.23 kB	+0.62%	38.81 kB	39.06 kB
oss-experimental/react-server-dom-webpack/cjs/react-server-dom-webpack-server.edge.development.js	+0.26%	218.75 kB	219.32 kB	+0.61%	39.25 kB	39.49 kB
oss-experimental/react-server-dom-turbopack/cjs/react-server-dom-turbopack-server.edge.development.js	+0.26%	218.75 kB	219.32 kB	+0.60%	39.26 kB	39.50 kB

Generated by 🚫 dangerJS against 876bf8c

unstubbable · 2026-01-30T23:16:44Z

packages/react-server/src/ReactFlightReplyServer.js

+    // A warning would be noise if you used Flight without Components and don't encounter
+    // errors. We're warning eagerly so that you configure your environment accordingly
+    // before you encounter an error.
+    checkEvalAvailabilityOnceDev();


Shouldn't this be in ReactFlightReplyClient.js where eval is used? Looks like ReactFlightReplyServer.js does not use eval.

sohammeta · 2026-01-31T02:32:11Z

packages/react-client/src/ReactClientDebugConfigBrowser.js

+      } catch {
+        console.error(
+          'eval() is not supported in this environment. ' +
+            'If this page was served with a `Content-Security-Policy` header, ' +
+            'make sure that `unsafe-eval` is included. ' +
+            'React requires eval() in development mode for various debugging features ' +
+            'like reconstructing callstacks from a different environment.\n' +
+            'React will never use eval() in production mode',
+        );
+      }


If eval throws for reasons other than being unavailable, those errors will be swallowed.

Suggested change

} catch {

console.error(

'eval() is not supported in this environment. ' +

'If this page was served with a `Content-Security-Policy` header, ' +

'make sure that `unsafe-eval` is included. ' +

'React requires eval() in development mode for various debugging features ' +

'like reconstructing callstacks from a different environment.\n' +

'React will never use eval() in production mode',

);

}

} catch (error) {

console.error(

'eval() is not supported in this environment. ' +

'If this page was served with a `Content-Security-Policy` header, ' +

'make sure that `unsafe-eval` is included. ' +

'React requires eval() in development mode for various debugging features ' +

'like reconstructing callstacks from a different environment.\n' +

'React will never use eval() in production mode',

,error

);

}

meta-cla bot added the CLA Signed label Jan 30, 2026

github-actions bot added the React Core Team Opened by a member of the React Core Team label Jan 30, 2026

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch from 328e3c3 to 41e269c Compare January 30, 2026 12:43

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch 2 times, most recently from 3a8565c to b4f7dca Compare January 30, 2026 12:53

[Flight] Warn once if eval is disabled in dev environment

876bf8c

eps1lon force-pushed the sebbie/01-30-_flight_warn_once_if_eval_is_disabled_in_dev_environment branch from 0fa91a0 to 876bf8c Compare January 30, 2026 18:05

eps1lon requested a review from unstubbable January 30, 2026 18:10

eps1lon marked this pull request as ready for review January 30, 2026 18:10

unstubbable reviewed Jan 30, 2026

View reviewed changes

sohammeta reviewed Jan 31, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Flight] Warn once if `eval` is disabled in dev environment #35661

[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon commented Jan 30, 2026 •

edited by unstubbable

Loading

Uh oh!

react-sizebot commented Jan 30, 2026 •

edited

Loading

Uh oh!

unstubbable Jan 30, 2026

Uh oh!

sohammeta Jan 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

[Flight] Warn once if eval is disabled in dev environment #35661

Are you sure you want to change the base?

[Flight] Warn once if eval is disabled in dev environment #35661

Conversation

eps1lon commented Jan 30, 2026 • edited by unstubbable Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

How did you test this change?

Uh oh!

react-sizebot commented Jan 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Critical size changes

Significant size changes

Uh oh!

unstubbable Jan 30, 2026

Choose a reason for hiding this comment

Uh oh!

sohammeta Jan 31, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

[Flight] Warn once if `eval` is disabled in dev environment #35661

[Flight] Warn once if `eval` is disabled in dev environment #35661

eps1lon commented Jan 30, 2026 •

edited by unstubbable

Loading

react-sizebot commented Jan 30, 2026 •

edited

Loading