You're Invited:Meet the Socket Team at RSAC and BSidesSF 2026, March 23–26.RSVP
Socket
Book a DemoSign in
Socket
Book a DemoSign in

js-vm

Package Overview
Dependencies
Maintainers
1
Versions
7
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

js-vm

Pure ECMAScript 5 implementation of the Node.js VM API

Source
npmnpm
Version
0.1.1
Version published
Weekly downloads
0
-100%
Maintainers
1
Weekly downloads
 
Created
Source

js-vm

NPM License Coding style

Installation

Install this package using NPM:

npm install js-vm

What is js-vm?

js-vm is highly secure, fully compatible ECMAScript 5 implementation of the Node.js VM API. It may be used as a vm shim in webpack.

js-vm is designed with high demands in efficiency and security.

  • Code is transpiled only on the basis of native RegExp tokenization and no AST is created, increasing speed by a factor of some 10K.
  • Security measures are designed to be widely immune to client-specific or future extensions of the grammar of the script language (ECMAScript). The package relies only on standardized ES5 features, leading to a best possible predictability and assessibility of security aspects.

What makes it fast?

js-vm executes scripts subsequently in the same global scope. No iframe or Web Worker is instantiated at runtime and execution is carried out solely by means of eval execution of RegExp-transpiled code.

To achieve this, from the perspective of an executed script, built-in properties of the global object are frozen. Any modifications on properties or sub-properties of built-in objects (such as Object.prototype.toString = function () { }) will not have any effect (see the behavior of Object.freeze()).

While considering a modification of built-in prototypes an anti-pattern in a modularized ECMAScript ecosystem, we regard the increased strictness an acceptable measure that does not affect code quality but on the contrary.

js-vm will attempt to create a separate global scope (i.e., by means of an iframe or Node.js' native vm) as a target of its code execution. If such a measure is not available, however (e.g., in a Web Worker), built-in objects, execution of the host environment appear as frozen, too.

Comparison

js-vm differs from vm in the following points:

Limitations

  • All scripts run in strict mode (or an unspecified superset, if unsupported).
  • Built-in objects (Object, Array, Date etc.) and their prototypes are immutable. This includes properties such as RegExp.lastMatch, which normally are altered dynamically.

Extensions

  • The timeout option is not only applied to the main operation, but also on subsequently executed events, timed functions etc.

Usage

var vm = require('js-vm');
var sandbox = { console };

vm.runInNewContext('console.log("Hello world")', sandbox);

See the Node.js vm documentation.

License

© 2016 Filip Dalüge, all rights reserved.

FAQs

Package last updated on 05 Nov 2016

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies

Research

/

Security News

72 Malicious Open VSX Extensions Linked to GlassWorm Campaign Now Using Transitive Dependencies

Since January 31, 2026, we identified at least 72 additional malicious Open VSX extensions, including transitive GlassWorm loader extensions targeting developers.

By Socket Research Team  -  Mar 13, 2026