Security News
npm Introduces minimumReleaseAge and Bulk OIDC Configuration
npm rolls out a package release cooldown and scalable trusted publishing updates as ecosystem adoption of install safeguards grows.
By Sarah Gooding - Feb 26, 2026
Latest Threat Research:SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflows and Poisons AI Toolchains.Details →
js-vm
js-vm is a highly secure, fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It may be used as a vm shim in webpack. It has a footprint of 7KB and does not depend on browser technologies or the DOM.
js-vm is designed with high demands in efficiency and security:
- Code is transpiled only on the basis of native
RegExptokenization and no AST is created, increasing speed by a factor of 100K. Costs of initialization are minimal, noiframeor similar is created at runtime. - Security measures are designed to be immune to extensions of the ECMAScript grammar (non-standard extensions, future extensions). The package works with standardized ES5 features only, making results highly predictable and security best assessable.
Installation
Install this package using NPM:
npm install js-vm
Usage
var vm = require('js-vm');
var sandbox = { console };
vm.runInNewContext('console.log("Hello world")', sandbox);
See the Node.js vm documentation.
Method
js-vm executes scripts subsequently in the same global scope. No
iframe or Web Worker is instantiated at runtime and execution is
carried out solely by means of eval execution of RegExp-transpiled
code.
To achieve this, from the perspective of an executed script, built-in
global objects (not the global object itself) are
frozen. Any modifications on properties or sub-properties of built-in
objects (such as Object.prototype.toString)
will be discarded (see the behavior of Object.freeze()).
Considering the modification of built-in prototypes an anti-pattern in a
modularized ECMAScript ecosystem anyway, we regard the increased strictness
enforced by js-vm as an improvement for code quality.
js-vm will not freeze any objects of the host script but will attempt
to execute scripts in a separate global scope whenever technically
viable (for example, by means of a hidden iframe that is created only
once and then reused).
Comparison
js-vm differs from vm in the following points:
Limitations
- All scripts run in strict mode (or a superset, depending on browser support).
- Built-in objects (
Object,Array,Dateetc.) and their prototypes are immutable. This includes properties such asRegExp.lastMatch, which would normally change dynamically.
Extensions
- The
timeoutoption limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.
License
© 2016 Filip Dalüge, all rights reserved.
FAQs
Pure ECMAScript 5 implementation of the Node.js VM API
We found that js-vm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 05 Nov 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Risky Biz Podcast: Open Source Risk Is Compounding as AI Agents Write 90% of New Code
AI agents are writing more code than ever, and that's creating new supply chain risks. Feross joins the Risky Business Podcast to break down what that means for open source security.
By Sarah Gooding - Feb 24, 2026
Research
/Security News
Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration
Socket uncovered four malicious NuGet packages targeting ASP.NET apps, using a typosquatted dropper and localhost proxy to steal Identity data and backdoor apps.
By Kush Pandya - Feb 23, 2026