Unsafe use of eval

[cristianstaicu]

In file index.js, the following uses of eval may have unexpected consequences:

function setItemPath(dup, obj, objectPath, path) {
    var value = findValue(objectPath, obj);
    path += '=value;';
    eval(path);
}
function deleteItemValue(dup, duplicatePath) {
    var path = buildDuplicatePath(dup, duplicatePath);
    path = 'delete ' + path;
    eval(path);
}

I know it is not very likely, but if an attacker can control one of the parameters to your module, it may do something like this:

mask.mask(model, ['id"]; console["log"]("my evil code was run");//'])

My suggestions: get rid of eval by using the bracket notation, validate the input to eval by using some regex or use a more heavyweight sanitization package like:
https://www.npmjs.com/package/eval-sanitizer