jsvm is a secure and fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It has a footprint of 7KB, does not depend on browser technologies such as the DOM. While jsvm can be used excellently as a webpack shim for vm, you just could use it instead of vm in Node.js, too.
jsvm has been designed with efficiency and security in mind:
RegExp tokenization
and no AST is created, increasing speed by a huge factor. The cost
of initialization is minimal, no iframe or similar is created at runtime.Install this package using NPM:
npm install jsvm
var vm = require('jsvm');
var sandbox = { console };
vm.runInNewContext('console.log("Hello world")', sandbox);
See the Node.js vm documentation.
jsvm executes scripts subsequently in the same global scope. No
iframe or Web Worker is instantiated at runtime and execution is
carried out solely by means of eval execution of RegExp-transpiled
code.
To achieve this, from the perspective of an executed script, built-in
global objects (not the global object itself) are
frozen. Any modifications on properties or sub-properties of built-in
objects (such as Object.prototype.toString)
will be discarded (see the behavior of Object.freeze()).
jsvm will not freeze any objects of the host script but create a
separate global scope for execution of virtualized scripts as long as
the executing environment makes it technically viable to create such a
separate global scope. This is the case in Node.js and in a browser.
jsvm differs from vm in the following points:
Object, Array, Date etc.) and their prototypes are immutable.timeout option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.© 2016 Filip Dalüge, all rights reserved.
FAQs
Pure ECMAScript 5 implementation of the Node.js VM API
We found that jsvm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
The worm-enabled campaign hit @emilgroup and @teale.io, then used an ICP canister to deliver follow-on payloads.
Research
/Security News
Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.
Security News
ENISA’s new package manager advisory outlines the dependency security practices companies will need to demonstrate as the EU’s Cyber Resilience Act begins enforcing software supply chain requirements.