Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/dbohdan/embedded-scripting-languages
The following is a list of reasonably mature or actively developed open source embedded scripting languages to use in your application. Stretching the definition of a scripting language, it also includes Datalog implementations. Items with a strong copyleft license (like the GNU GPL) that will apply to the rest of your code are emphasized as a warning.
To sort and filter the list interactively, visit the webpage. To contribute, go to the GitHub project.
Language | Project name/link | Implementated in | GC | License | Notes |
---|---|---|---|---|---|
Ada | HAC | Ada | None (stack only) | MIT | HAC implements a subset of the Ada language. Thus, it can share sources with the embedding application. |
AngelScript | AngelScript | C++ | Ref. counting + cycle-detecting tracing GC | Zlib | A statically typed curly brace language resembling C++ itself. |
Anko | Anko | Go | Go's GC | MIT | Scriptable interpreter with syntax similar to Go. |
ArkScript | ArkScript | C++ | None (resource release is destruction + optional manual MM) | MPL-2.0 | A small functional Lisp-like programming language. Separate bytecode compiler and VM. |
Asp | Asp | C | Ref. counting inside a static memory area | MIT | Python-like. Targets embedded systems. Allows blocking calls in scripts without blocking the application. Runs compiled bytecode. Not related to Microsoft's Active Server Pages. |
Awk | Libmawk | C | Ref. counting | GPL-2.0 | Implements Awk. A fork of mawk 1.3 restructured for embedding. |
Awk, Basic, Pascal | Libfawk | C | Ref. counting | BSD-3-Clause | A multi-language VM. Includes compilers for three languages: Fawk (Awk dialect), Fbas (Basic dialect), and Fpas (Pascal dialect). |
Basic | MY-BASIC | C | Ref. counting + cycle-detecting tracing GC | MIT | A Basic dialect with prototype-based OOP. |
Boron | Boron | C | Tracing | LGPL-3.0-or-later | An embeddable scripting language similar to Rebol. |
C | PicoC | C | None (manual MM) | BSD-3-Clause | Statically typed. Interprets a subset of C. |
C | tcc | C | None | LGPL-2.0-only | A small C compiler that can be used as a library for a C JIT. libtcc header. Embedding example. |
C#, other CLR languages | Mono | C | Tracing | MIT and other | Implements the CLR. |
ChaiScript | ChaiScript | C++ | Ref. counting | BSD-3-Clause | A header-only C++14 interpreter library. |
Clojure | sci | Clojure | host VM's GC | EPL-1.0 | An interpreter for a subset of Clojure for Clojure and ClojureScript. |
Common Expression Language (CEL) | Common Expression Language | Go | Go's GC | Apache-2.0 | A non-Turing-complete expression language for Go. |
Common Lisp | Clasp | Common Lisp, C++ | MPS GC (Boehm-Weiser also supported) | LGPL-2.0-or-later | Full Common Lisp implementation well integrated with C++, using LLVM for the code generation, to integrate closely with C++ applications or libraries. |
Common Lisp | Embeddable Common Lisp | Common Lisp, C | Boehm-Weiser GC | LGPL-2.0-or-later | Full Common Lisp implementation, available as a shared library libecl.so embeddable in any C, C++ or other application. |
daScript | daScript | C++ | None (region-based + manual MM?) | BSD-3-Clause | A statically-typed performance-oriented scripting language. |
Datalog | AbcDatalog | Java | JVM's GC | BSD-3-Clause | Implements Datalog. |
Datalog | Cascalog | Clojure | JVM's GC | Apache-2.0 | Implements Datalog. |
Datalog | Datalog (c-cube) | OCaml | OCaml's GC | BSD-2-Clause | Implements Datalog. |
Datalog | Datalog (fogfish) | Erlang | None (no collection inside interpreter state) | Apache-2.0 | Implements Datalog. |
Datalog | Datalog (MITRE Corporation) | C | Tracing (Lua's GC) | LGPL-2.0-or-later | Implements Datalog. It is implemented on top of Lua 5.3 and can be extended with Lua functions. |
Dhall | Dhall | Haskell | Haskell's GC | BSD-3-Clause | A statically-typed functional configuration language. Not Turing-complete. Untrusted code: can't access the file system, can fetch Dhall libraries over HTTP(S) from static URLs (but libraries aren't allowed to access your data), can use up memory and CPU time for a DoS attack. Has a work-in-progress Clojure and Ruby implementation. |
DWScript | DWScript | Object Pascal (Delphi 2009 or later) | Ref. counting + cycle-detecting tracing GC | MPL-1.1, GPL-3.0 (JavaScript code generator) | Description. A statically typed Delphi/Free Pascal-like language. Can compile to JavaScript. |
Dyon | Dyon | Rust | None (Rust-style lifetimes) | Apache-2.0 or MIT | Has optional, optimistic (succeed-by-default) static type checking. |
Expr | Expr | Go | Go's GC | MIT | Compiles and evaluates statically-typed expressions. |
Falcon | Falcon | C++ | Tracing | GPL-2.0 or custom | The GC is pluggable. |
fe | fe | C | Tracing | MIT | Uses a fixed-size memory region. No malloc . |
Forth | Atlast | C | None (manual MM) | Public domain | A dialect of Forth originally developed at Autodesk. |
Forth | FTH | C | Tracing | BSD-2-Clause | A dialect of Forth with objects, hashes, regular expressions, and other extensions. |
Forth | pForth | C | None (manual MM) | Public domain | A dialect of Forth. |
GameMonkey Script | GameMonkey Script | C++ | Tracing | MIT | Comes with C bindings. Similar to Lua, multithreaded. |
Gentee | Gentee | Go | Go's GC | MIT | Statically typed. |
gluon | gluon | Rust | Tracing | MIT | Statically typed. Inspired by Lua, Haskell, and OCaml. Each executing gluon thread gets a separate heap. |
Go | Yaegi | Go | Go's GC | Apache-2.0 | An embedded complete Go interpreter, on top of the Go runtime. |
Gravity | Gravity | C | Tracing | MIT | A class-based concurrent scripting language with a Swift-like syntax. |
Groovy | Groovy | Java | JVM's GC | Apache-2.0 | A scripting language for the JVM. A large subset of Java is valid Groovy. Integrating Groovy into applications. |
Haxe | HashLink | C | Tracing (lazy sweep) | MIT | A bytecode interpreter and a baseline JIT compiler (x86/x86_64 only) for Haxe. |
Haxe, others | Neko | C | Boehm | MIT | The NekoVM is a target for several compilers, including Haxe. |
Io | Io | C | Tracing | BSD-3-Clause | A prototype-based OO language. |
Janet | Janet | C | Tracing | MIT | A functional and imperative language with a Lisp syntax. |
Java | BeanShell | Java | JVM's GC | Apache-2.0 | An small, embeddable Java source code interpreter. Understands Java code with certain extensions like method closures. |
JavaScript | Duktape | C | Ref. counting + cycle-detecting tracing GC | MIT | Implements JavaScript E5/E5.1. |
JavaScript | Espruino | C | Tracing | MPL-2.0 | Implements a subset of JavaScript ES5 in a way suitable for embedded hardware with 8+ KiB RAM. |
JavaScript | Goja | Go | Go's GC | MIT | Implements ECMAScript 5.1. Better standard compliance and performance than otto. |
JavaScript | GraalJS | C++, C, Java | JVM's GC | UPL-1.0 | Implements ECMAScript 2022 for GraalVM (HotSpot JVM) using Truffle. |
JavaScript | JerryScript | C | Tracing | Apache-2.0 | A full ECMAScript 5.1 interpreter written in C99 and optimized for low memory consumption. Uses CMake. |
JavaScript | jsish | C | Ref. counting | MIT | A JavaScript ES 5.2+ interpreter. Internally structured after Tcl with an extensive C API. Features include subinterpreters, introspection, SQLite bindings, and a web framework with WebSocket support. The code is valid C and C++. |
JavaScript | MuJS | C | Tracing | ISC | Implements JavaScript (ES5). Has a similar C interface to Lua. |
JavaScript | njs | C | None (no collection performed) | BSD-2-Clause | Implements a subset of ES5.1 with some ES6 extensions. |
JavaScript | otto | Go | Go's GC | MIT | Implements ES5 with some limitations. |
JavaScript | QuickJS | C | Ref. counting + cycle-detecting tracing GC | MIT | A small embedded JavaScript interpreter that implements almost all of ES2019 and much of ES2020. |
Jinx | Jinx | C++17 | Ref. counting | MIT | Designed for use in realtime applications such as video games. |
Jsonnet | Jsonnet | C++ | Tracing | Apache-2.0 | A functional configuration language that extends JSON. Untrusted code: can't access the file system or network, can use up memory and CPU time for a DoS attack. Has bindings for C, C++, Go, Python, and other languages, as well as a separate native Go implementation. |
Ketos | Ketos | Rust | None (no heap allocation)? | Apache-2.0 | A functional Lisp. |
LIL | LIL | C, Object Pascal (separate implementations) | None (no reference support) | Zlib | A Tcl-like language incompatible with mainline Tcl. |
Lily | Lily | C | Ref. counting + tracing GC | MIT | A language focusing on expressiveness and safety. |
ljs | ljs | C | Tracing | MIT | Lua 5.3, Lua 5.1, and LuaJIT with a C/C++/Java/JavaScript syntax. Can convert Lua source code to ljs. |
Lua | Go-Lua | Go | Go's GC | MIT | Implements a subset of Lua 5.2. |
Lua | GopherLua | Go | Go's GC | MIT | Implements Lua 5.1 with the added support for Go's channels. Lacks the debug hooks and several functions from the C version. |
Lua | Lua | C | Tracing | MIT | The reference implementation of what is likely the world's most popular embedded scripting language. Allows you to precompile scripts to bytecode. Versions 5.1-5.3, which are the ones used today, are not fully compatible with each other. |
Lua | LuaJ | Java | JVM's GC | MIT | A Lua 5.2 spec-compliant interpreter written in Java for JME and JSE. Complies Lua directly to JVM bytecode. |
Lua | LuaJIT | C | Tracing | MIT | Fully compatible with Lua 5.1. Has a built-in C FFI library. Performance comparison. |
Lua | Lua-ML | OCaml | OCaml's GC | BSD-2-Clause | Embeddable Lua 2.5 reimplementation that integrates with OCaml type and module system. It's possible to extend or even replace the standard library with your own modules. |
Lua | Luau | C | Tracing | MIT | Roblox fork of Lua 5.1 as a scripting language for games to support a gradual type system as well as limiting the set of standard libraries exposed to the users and implements extra sandboxing features to be able to run unprivileged code. Whenever possible, Luau aims to be backwards-compatible with Lua 5.1 and at the same time to incorporate features from later revisions of Lua. |
Lua | luerl | Erlang | Tracing | Apache-2.0 | An implementation of Lua 5.2 in pure Erlang with some features like goto absent. |
Lua | MoonSharp | C# | CLR's GC | BSD-3-Clause and other | CLR Based Lua implementation that is 99% compatible with Lua 5.2 |
Lua | Ravi | C | Tracing | MIT | “Ravi is a dialect of Lua with limited optional static typing and features a JIT compiler powered by MIR as well as support for AOT compilation to native code.” |
Moirai | Moirai | Kotlin | JVM's GC | MIT | A scripting language that calculates the worst-case execution time (WCET) before executing each script. Optimized for multi-tenant microservices and serverless applications. |
Mond | Mond | C# | CLR's GC | MIT | A dynamically typed scripting language with generators, async, remote debugging, and a binding API. |
Never | Never | C | Tracing | MIT | A statically typed functional programming language. |
Nickel | Nickel | Rust | Ref. counting | MIT | A configuration language with gradual typing and contracts. Python bindings. |
Pascal | Pascal Script | Object Pascal | None (manual MM) | modified zlib/libpng-License with mandatory attribution | Statically typed. Implements "most of Object Pascal". Can't define new classes. |
Pawn | Pawn | C | None (no heap allocation) | Apache-2.0 with a clause to explicitly permit static linking | A curly-brace language with a small-footprint VM. Represents data as 4/8-byte "cells". Compiles to CPU-specific bytecode. More. |
Perl | Perl | C | Ref. counting | Artistic-2.0 or GPL-3.0 | Embedding Perl in Another Application |
PHP | ephp | Erlang | None (no collection inside interpreter state) | LGPL-2.1-or-later | Implements a subset of PHP 5.5. |
PHP | PH7 | C | Ref. counting | Symisc Public License or proprietary | Implements a subset of PHP 5.3 with some changes like native UTF-8 support. |
Pluto | Pluto | C++ | Tracing | MIT | A superset of Lua 5.4 (outside of incompatibilies caused by new syntax). Adds syntax like != , break , and string interpolation; expands the standard library; somewhat improves performance. |
pocketlang | pocketlang | C | Tracing | MIT | A small language syntactically similar to Ruby. Embedding examples. Performance comparison. |
Prolog | Erlog | Erlang | None () | Apache-2.0 | Interprets a subset of standard Prolog. |
Prolog | Golog | Go | Go's GC | MIT | Implements a subset of standard Prolog. |
Python | CircuitPython | C | Tracing | MIT | A fork of MicroPython, designed for API uniformity across many microcontrollers. |
Python | gpython | Go | Go's GC | BSD-3-Clause | Implements a subset of Python 3.4. |
Python | GraalPy | C, Java | JVM's GC | UPL-1.0 | Implements Python 3 for GraalVM (HotSpot JVM) using Truffle. |
Python | Jython | Java | JVM's GC | PSFL (BSD-like) | An implementation of Python 2 for the JVM. |
Python | MicroPython | C | Tracing | MIT | Implements Python 3.4 syntax and some of the core datatypes. |
Python | PikaPython | C | Ref. counting | MIT | Implements a variant of Python 3. The degree of compatibility with Python seems to be undocumented. Runs in as little as 4 KiB of RAM. Targets microcontrollers and Linux. |
Python | pocketpy | C++ | Tracing | MIT | Implements a subset of Python 3 (with some differences) in a single C++17 header file. |
Python | Python | C | Ref. counting + cycle-detecting tracing GC | PSFL (BSD-like) | "Embedding Python in Another Application". |
QuakeC | gmqcc/qcvm | C++ | None (no dynamic memory allocation) | MIT | A QuakeC compiler and VM. |
Quirrel | Quirrel | C++ | Ref. counting | MIT | A fork of Squirrel with new features. |
Rebol | Rebol | C | Tracing | Apache-2.0 | Relative Expression Based Object Language |
Red | Red | Rebol, Red, Red/System | Tracing | BSD-3-Clause, BSL-1.0 | A descendant of Rebol. Embeddable via libRed. Features a cross-platform native GUI system. Intended to have low memory usage. |
Rexx | NetRexx | Java | JVM's GC | ICU (BSD-like) | |
Rexx | ooRexx | C++ | Tracing | CPL | Implements Rexx extended with objects. |
Rhai | Rhai | Rust | None (Rust-style lifetimes) | MIT or Apache-2.0 | An embedded scripting language for Rust inspired by ChaiScript. |
Ring | Ring | C | Tracing | MIT | An embeddable applications programming language with a large standard library and GIL-less multithreading. |
Ruby | JRuby | Java | JVM's GC | Choice of EPL, GPL, and LGPL | An implementation of Ruby on the JVM. |
Ruby | mruby | C | Tracing | MIT | A lightweight implementation of Ruby. Has a compile-time package manager. |
Ruby | mruby/c | C | Ref. counting | BSD-3-Clause | An even smaller implementation of Ruby for microcontrollers with limited memory. |
Ruby | Ruby | C | Tracing | Choice of BSD-2-Clause, Ruby license, GPL-2.0 | An embeddable object-oriented scripting language. Running Ruby in C. |
Ruby | TruffleRuby | C, Java | JVM's GC | UPL-1.0 | Implements Ruby for GraalVM (HotSpot JVM) using Truffle. |
Rune | Rune | Rust | Ref. counting | MIT or Apache-2.0 | An embeddable dynamic programming language. Asynchronous-first and const-evaluation. |
Scheme | Animula | C | Tracing | Compiler: GPL-3.0-or-later, VM: LGPL-3.0-or-later | An optimizing compiler and VM for embedded systems. R7RS. |
Scheme | Chibi Scheme | C | Tracing | BSD-3-Clause | Implements R7RS small. |
Scheme | CHICKEN Scheme | C | Tracing | BSD-3-Clause | Implements R5RS (with some changes). R7RS support is a work in progress. Examples of embedding CHICKEN. |
Scheme | GNU Guile | C | Boehm | LGPL-3.0-or-later | "Guile mostly implements R6RS." |
Scheme | Kawa | Java | JVM's GC | MIT | R7RS. Supports the javax.script API. Evaluating Scheme expressions from Java. |
Scheme | s7 | C | Tracing | BSD-3-Clause | Implements a subset of R5RS/R7RS. Descended from TinyScheme. |
Scheme | Steel | Rust | Ref. counting + tracing GC | Apache-2.0 or MIT | Aims for eventual R5RS and R7RS compliance. Has extensions inspired by Racket. |
Scheme | TinyScheme | C | Tracing? | BSD-3-Clause | Implements a subset of R5RS. |
SGScript | SGScript | C | Ref. counting + tracing CG | MIT | Features include a built-in data serialization format, coroutines, class-based OOP, sandboxed evaluation, a built-in debugger and profiler. |
Shine | Shine | C | Tracing | MIT | A language based on Lua with additional safety and expressiveness features implemented as a fork of LuaJIT. |
simpleeval | simpleeval | Python | Python's GC | MIT | Evaluates expressions in a subset of Python. |
Snek | Snek | C | Tracing | GPL-3.0-or-later | A Python-inspired language. Targets "processors too small to run MicroPython". |
SquiLu | SquiLu | C++ | Ref. counting | MIT, some extensions LGPL or GPL | A fork of Squirrel. Changes the syntax to accept a subset of JavaScript and C/C++. Implements Lua's features like string pattern matching and global table manipulation functions. Adds extensions for database access (SQLite3, MySQL, PostgreSQL), sockets, and other features. |
Squirrel | Squirrel | C++ | Ref. counting | MIT | A language inspired by Lua and JavaScript/Python. Has a Lua-like C++ API. Differentiates itself from Lua with the use of reference counting in place of Lua's tracing GC, a curly-brace syntax, built-in class-based OOP, and zero-indexed arrays. |
Starlark | Starlark (Go) | Go | Go's GC | BSD-3-Clause | A small dialect of Python for configuration. Not Turing-complete. Untrusted code: can't access the file system and network, can use up memory and CPU to perform a DoS attack. Spec. Python bindings. |
Starlark | Starlark (Java) | Java | JVM's GC | Apache-2.0 | Starlark for the JVM. The original implementation. |
Starlark | Starlark (Rust) | Rust | ? | Apache-2.0 | Starlark in Rust. Python bindings. |
Tcl | Jim Tcl | C | Tracing | BSD-2-Clause | Largely compatible with Tcl 8.5 with its own additions. |
Tcl | JTcl | Java | Ref. counting | Various BSD-like | Tcl 8.4 with some 8.5 features for the JVM. |
Tcl | Molt | Rust | Ref. counting | BSD-3-Clause | A minimal Tcl implementation for Rust applications and libraries. |
Tcl | Picol | C | None (no reference support) | BSD-2-Clause | A header-only library interpreter for a limited dialect of Tcl. |
Tcl | Tcl | C | Ref. counting | Tcl license (BSD-like) | An embeddable general-purpose scripting language with a rich C API. Has a cross-platform GUI toolkit called Tk. How to embed Tcl in C applications. |
Toy | Toy | C | Ref. counting | Zlib | Has an optional type system. Embedding Toy. |
Umka | Umka | C | Ref. counting | BSD-2-Clause | Statically typed. |
Wirefilter | Wirefilter | Rust | None (no dynamic memory allocation) | MIT | An expression language for Wireshark-like filters. |
Wren | Wren | C | Tracing | MIT | A small class-based performance-oriented scripting language. Performance comparison. |
ZetScript | ZetScript | C++ | Ref. counting | MIT | Comes with an API for C++ interop. |
zygomys | zygomys | Go | Go's GC | BSD-2-Clause | An embedded Lisp for Go. Inspired by Clojure, but more oriented towards imperative programming. Has an infix syntax layer that looks like a subset of Go. |
Your contributions are welcome! See CONTRIBUTING.
The curator of this document maintains Picol and has contributed to Jim Tcl.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.