jsvm is a secure and fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It has a footprint of 7KB, does not depend on browser technologies such as the DOM. While jsvm can be used excellently as a webpack shim for vm, you just could use it instead of vm in Node.js, too.
jsvm has been designed with efficiency and security in mind:
RegExp tokenization
and no AST is created, increasing speed by a huge factor. The cost
of initialization is minimal, no iframe or similar is created at runtime.Install this package using NPM:
npm install jsvm
var vm = require('jsvm');
var sandbox = { console };
vm.runInNewContext('console.log("Hello world")', sandbox);
See the Node.js vm documentation.
jsvm executes scripts subsequently in the same global scope. No
iframe or Web Worker is instantiated at runtime and execution is
carried out solely by means of eval execution of RegExp-transpiled
code.
To achieve this, from the perspective of an executed script, built-in
global objects (not the global object itself) are
frozen. Any modifications on properties or sub-properties of built-in
objects (such as Object.prototype.toString)
will be discarded (see the behavior of Object.freeze()).
jsvm will not freeze any objects of the host script but create a
separate global scope for execution of virtualized scripts as long as
the executing environment makes it technically viable to create such a
separate global scope. This is the case in Node.js and in a browser.
jsvm differs from vm in the following points:
Object, Array, Date etc.) and their prototypes are immutable.timeout option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.© 2016 Filip Dalüge, all rights reserved.
FAQs
Pure ECMAScript 5 implementation of the Node.js VM API
The npm package jsvm receives a total of 2 weekly downloads. As such, jsvm popularity was classified as not popular.
We found that jsvm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
Security News
TeamPCP is partnering with ransomware group Vect to turn open source supply chain attacks on tools like Trivy and LiteLLM into large-scale ransomware operations.
Security News
/Research
Widespread GitHub phishing campaign uses fake Visual Studio Code security alerts in Discussions to trick developers into visiting malicious website.