diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..43c97e7
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+package-lock=false
diff --git a/.travis.yml b/.travis.yml
index cc4dba2..6e35c0c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,18 @@
 language: node_js
+os: linux
+dist: bionic
+before_install:
+  - "nvm install-latest-npm"
 node_js:
   - "0.8"
   - "0.10"
+  - "0.12"
+  - "4"
+  - "6"
+  - "8"
+  - "9"
+  - "10"
+  - "11"
+  - "12"
+  - "13"
+  - "14"
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..e91f004
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,15 @@
+# static-eval Change Log
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## 2.1.0
+* Add `allowAccessToMethodsOnFunctions` option to restore 1.x behaviour so that [cwise](https://github.com/scijs/cwise) can upgrade. ([@archmoj](https://github.com/archmoj) in [#31](https://github.com/browserify/static-eval/pull/31))
+
+  Do not use this option if you are not sure that you need it, as it had previously been removed for security reasons. There is a known exploit to execute arbitrary code. Only use it on trusted inputs, like the developer's JS files in a build system.
+
+## 2.0.5
+* Fix function bodies being invoked during declaration. ([@RoboPhred](https://github.com/RoboPhred) in [#30](https://github.com/browserify/static-eval/pull/30))
+
+## 2.0.4
+* Short-circuit evaluation in `&&` and `||` expressions. ([@RoboPhred](https://github.com/RoboPhred) in [#28](https://github.com/browserify/static-eval/pull/28))
+* Start tracking changes.
diff --git a/LICENSE b/LICENSE
index ee27ba4..f52ee8c 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,6 @@
-This software is released under the MIT license:
+MIT License
+
+Copyright (c) 2013 James Halliday
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
diff --git a/index.js b/index.js
index 3cfbdba..92f4687 100644
--- a/index.js
+++ b/index.js
@@ -1,15 +1,18 @@
 var unparse = require('escodegen').generate;
 
-module.exports = function (ast, vars) {
+module.exports = function (ast, vars, opts) {
+    if(!opts) opts = {};
+    var rejectAccessToMethodsOnFunctions = !opts.allowAccessToMethodsOnFunctions;
+
     if (!vars) vars = {};
     var FAIL = {};
-    
-    var result = (function walk (node, scopeVars) {
+
+    var result = (function walk (node, noExecute) {
         if (node.type === 'Literal') {
             return node.value;
         }
         else if (node.type === 'UnaryExpression'){
-            var val = walk(node.argument)
+            var val = walk(node.argument, noExecute)
             if (node.operator === '+') return +val
             if (node.operator === '-') return -val
             if (node.operator === '~') return ~val
@@ -19,7 +22,7 @@ module.exports = function (ast, vars) {
         else if (node.type === 'ArrayExpression') {
             var xs = [];
             for (var i = 0, l = node.elements.length; i < l; i++) {
-                var x = walk(node.elements[i]);
+                var x = walk(node.elements[i], noExecute);
                 if (x === FAIL) return FAIL;
                 xs.push(x);
             }
@@ -31,7 +34,7 @@ module.exports = function (ast, vars) {
                 var prop = node.properties[i];
                 var value = prop.value === null
                     ? prop.value
-                    : walk(prop.value)
+                    : walk(prop.value, noExecute)
                 ;
                 if (value === FAIL) return FAIL;
                 obj[prop.key.value || prop.key.name] = value;
@@ -40,12 +43,30 @@ module.exports = function (ast, vars) {
         }
         else if (node.type === 'BinaryExpression' ||
                  node.type === 'LogicalExpression') {
-            var l = walk(node.left);
+            var op = node.operator;
+
+            if (op === '&&') {
+                var l = walk(node.left);
+                if (l === FAIL) return FAIL;
+                if (!l) return l;
+                var r = walk(node.right);
+                if (r === FAIL) return FAIL;
+                return r;
+            }
+            else if (op === '||') {
+                var l = walk(node.left);
+                if (l === FAIL) return FAIL;
+                if (l) return l;
+                var r = walk(node.right);
+                if (r === FAIL) return FAIL;
+                return r;
+            }
+
+            var l = walk(node.left, noExecute);
             if (l === FAIL) return FAIL;
-            var r = walk(node.right);
+            var r = walk(node.right, noExecute);
             if (r === FAIL) return FAIL;
-            
-            var op = node.operator;
+
             if (op === '==') return l == r;
             if (op === '===') return l === r;
             if (op === '!=') return l != r;
@@ -62,9 +83,7 @@ module.exports = function (ast, vars) {
             if (op === '|') return l | r;
             if (op === '&') return l & r;
             if (op === '^') return l ^ r;
-            if (op === '&&') return l && r;
-            if (op === '||') return l || r;
-            
+
             return FAIL;
         }
         else if (node.type === 'Identifier') {
@@ -80,70 +99,80 @@ module.exports = function (ast, vars) {
             else return FAIL;
         }
         else if (node.type === 'CallExpression') {
-            var callee = walk(node.callee);
+            var callee = walk(node.callee, noExecute);
             if (callee === FAIL) return FAIL;
             if (typeof callee !== 'function') return FAIL;
-            
-            var ctx = node.callee.object ? walk(node.callee.object) : FAIL;
+
+
+            var ctx = node.callee.object ? walk(node.callee.object, noExecute) : FAIL;
             if (ctx === FAIL) ctx = null;
 
             var args = [];
             for (var i = 0, l = node.arguments.length; i < l; i++) {
-                var x = walk(node.arguments[i]);
+                var x = walk(node.arguments[i], noExecute);
                 if (x === FAIL) return FAIL;
                 args.push(x);
             }
+
+            if (noExecute) {
+                return undefined;
+            }
+
             return callee.apply(ctx, args);
         }
         else if (node.type === 'MemberExpression') {
-            var obj = walk(node.object);
-            // do not allow access to methods on Function 
-            if((obj === FAIL) || (typeof obj == 'function')){
+            var obj = walk(node.object, noExecute);
+            if((obj === FAIL) || (
+                (typeof obj == 'function') && rejectAccessToMethodsOnFunctions
+            )){
                 return FAIL;
             }
-            if (node.property.type === 'Identifier') {
+            if (node.property.type === 'Identifier' && !node.computed) {
+                if (isUnsafeProperty(node.property.name)) return FAIL;
                 return obj[node.property.name];
             }
-            var prop = walk(node.property);
-            if (prop === FAIL) return FAIL;
+            var prop = walk(node.property, noExecute);
+            if (prop === null || prop === FAIL) return FAIL;
+            if (isUnsafeProperty(prop)) return FAIL;
             return obj[prop];
         }
         else if (node.type === 'ConditionalExpression') {
-            var val = walk(node.test)
+            var val = walk(node.test, noExecute)
             if (val === FAIL) return FAIL;
-            return val ? walk(node.consequent) : walk(node.alternate)
+            return val ? walk(node.consequent) : walk(node.alternate, noExecute)
         }
         else if (node.type === 'ExpressionStatement') {
-            var val = walk(node.expression)
+            var val = walk(node.expression, noExecute)
             if (val === FAIL) return FAIL;
             return val;
         }
         else if (node.type === 'ReturnStatement') {
-            return walk(node.argument)
+            return walk(node.argument, noExecute)
         }
         else if (node.type === 'FunctionExpression') {
-            
             var bodies = node.body.body;
-            
+
             // Create a "scope" for our arguments
             var oldVars = {};
             Object.keys(vars).forEach(function(element){
                 oldVars[element] = vars[element];
             })
 
-            node.params.forEach(function(key) {
+            for(var i=0; i<node.params.length; i++){
+                var key = node.params[i];
                 if(key.type == 'Identifier'){
                   vars[key.name] = null;
                 }
-            });
+                else return FAIL;
+            }
             for(var i in bodies){
-                if(walk(bodies[i]) === FAIL){
+                if(walk(bodies[i], true) === FAIL){
                     return FAIL;
                 }
             }
             // restore the vars and scope after we walk
             vars = oldVars;
-            
+
             var keys = Object.keys(vars);
             var vals = keys.map(function(key) {
                 return vars[key];
@@ -153,14 +182,14 @@ module.exports = function (ast, vars) {
         else if (node.type === 'TemplateLiteral') {
             var str = '';
             for (var i = 0; i < node.expressions.length; i++) {
-                str += walk(node.quasis[i]);
-                str += walk(node.expressions[i]);
+                str += walk(node.quasis[i], noExecute);
+                str += walk(node.expressions[i], noExecute);
             }
-            str += walk(node.quasis[i]);
+            str += walk(node.quasis[i], noExecute);
             return str;
         }
         else if (node.type === 'TaggedTemplateExpression') {
-            var tag = walk(node.tag);
+            var tag = walk(node.tag, noExecute);
             var quasi = node.quasi;
             var strings = quasi.quasis.map(walk);
             var values = quasi.expressions.map(walk);
@@ -171,6 +200,10 @@ module.exports = function (ast, vars) {
         }
         else return FAIL;
     })(ast);
-    
+
     return result === FAIL ? undefined : result;
 };
+
+function isUnsafeProperty(name) {
+    return name === 'constructor' || name === '__proto__';
+}
diff --git a/package.json b/package.json
index d62b312..84db957 100644
--- a/package.json
+++ b/package.json
@@ -1,14 +1,14 @@
 {
   "name": "static-eval",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "evaluate statically-analyzable expressions",
   "main": "index.js",
   "dependencies": {
-    "escodegen": "^1.8.1"
+    "escodegen": "^1.11.1"
   },
   "devDependencies": {
-    "esprima": "^2.7.3",
-    "tape": "^4.6.0"
+    "esprima": "^3.1.3",
+    "tape": "^4.10.1"
   },
   "scripts": {
     "test": "tape test/*.js"
@@ -25,9 +25,9 @@
   },
   "repository": {
     "type": "git",
-    "url": "git://github.com/substack/static-eval.git"
+    "url": "git://github.com/browserify/static-eval.git"
   },
-  "homepage": "https://github.com/substack/static-eval",
+  "homepage": "https://github.com/browserify/static-eval",
   "keywords": [
     "static",
     "eval",
diff --git a/readme.markdown b/readme.markdown
index 9bd50f9..554fdff 100644
--- a/readme.markdown
+++ b/readme.markdown
@@ -4,7 +4,11 @@ evaluate statically-analyzable expressions
 
 [![testling badge](https://ci.testling.com/substack/static-eval.png)](https://ci.testling.com/substack/static-eval)
 
-[![build status](https://secure.travis-ci.org/substack/static-eval.png)](http://travis-ci.org/substack/static-eval)
+[![build status](https://secure.travis-ci.org/browserify/static-eval.png)](http://travis-ci.org/browserify/static-eval)
+
+# security
+
+static-eval is like `eval`. It is intended for use in build scripts and code transformations, doing some evaluation at build time—it is **NOT** suitable for handling arbitrary untrusted user input. Malicious user input _can_ execute arbitrary code.
 
 # example
 
diff --git a/security.md b/security.md
new file mode 100644
index 0000000..a1273a0
--- /dev/null
+++ b/security.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+Only the latest major version is supported at any given time.
+
+## Reporting a Vulnerability
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+Note that this package is intended for use in build-time
+transformations. It is only intended to handle trusted code. If a
+vulnerability requires a fix that would prevent important use cases, we
+may decide not to address it.
diff --git a/test/eval.js b/test/eval.js
index c8d3d25..ed5cf90 100644
--- a/test/eval.js
+++ b/test/eval.js
@@ -44,6 +44,20 @@ test('array methods', function(t) {
     t.deepEqual(evaluate(ast), [2, 4, 6]);
 });
 
+test('array methods invocation count', function(t) {
+    t.plan(2);
+
+    var variables = {
+        values: [1, 2, 3],
+        receiver: []
+    };
+    var src = 'values.forEach(function(x) { receiver.push(x); })'
+    var ast = parse(src).body[0].expression;
+    evaluate(ast, variables);
+    t.equal(variables.receiver.length, 3);
+    t.deepEqual(variables.receiver, [1, 2, 3]);
+})
+
 test('array methods with vars', function(t) {
     t.plan(1);
 
@@ -79,4 +93,85 @@ test('MemberExpressions from Functions unresolved', function(t) {
     var ast = parse(src).body[0].expression;
     var res = evaluate(ast, {});
     t.equal(res, undefined);
+});
+
+test('disallow accessing constructor or __proto__', function (t) {
+    t.plan(4)
+
+    var someValue = {};
+
+    var src = 'object.constructor';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object["constructor"]';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object.__proto__';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+
+    var src = 'object["__pro"+"t\x6f__"]';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, { vars: { object: someValue } });
+    t.equal(res, undefined);
+});
+
+
+test('constructor at runtime only', function(t) {
+    t.plan(2)
+
+    var src = '(function myTag(y){return ""[!y?"__proto__":"constructor"][y]})("constructor")("console.log(process.env)")()'
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast);
+    t.equal(res, undefined);
+
+    var src = '(function(prop) { return {}[prop ? "benign" : "constructor"][prop] })("constructor")("alert(1)")()'
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast);
+    t.equal(res, undefined);
+});
+
+test('short circuit evaluation AND', function(t) {
+    t.plan(1);
+
+    var variables = {
+        value: null
+    };
+    var src = 'value && value.func()';
+    var ast = parse(src).body[0].expression;
+    var res = evaluate(ast, variables);
+    t.equals(res, null);
+})
+
+test('short circuit evaluation OR', function(t) {
+    t.plan(1);
+
+    var fnInvoked = false;
+    var variables = {
+        value: true,
+        fn: function() { fnInvoked = true}
+    };
+    var src = 'value || fn()';
+    var ast = parse(src).body[0].expression;
+    evaluate(ast, variables);
+    t.equals(fnInvoked, false);
+})
+
+test('function declaration does not invoke CallExpressions', function(t) {
+    t.plan(1);
+
+    var invoked = false;
+    var variables = {
+        noop: function(){},
+        onInvoke: function() {invoked = true}
+    };
+    var src = 'noop(function(){ onInvoke(); })';
+    var ast = parse(src).body[0].expression;
+    evaluate(ast, variables);
+    t.equal(invoked, false);
 });
\ No newline at end of file