New module: isolated-vm -- access to v8's Isolate interface in nodejs

Skip to first unread message

Mar 5, 2018, 3:39:09 PM3/5/18
to nodejs
Hi everyone, I wanted to post a note about a module I've been tinkering with for a while. It gives you the ability to create isolated JavaScript environments in a nodejs application. You can use this to securely run untrusted code with strict limits on memory and CPU time usage. Additionally, this gives you the capability to run JS code in parallel in multiple threads in the same process.

Currently the only way to run untrusted code securely is to make a new process for your sandboxed code. This can be cumbersome to manage if you need to run a lot of sandboxes at the same time. There are also some solutions which will run the untrusted code within one nodejs process, but your code will end up sharing memory and garbage collection with the untrusted code which is no good. And all existing nodejs-based solutions rely heavily on proxied objects to keep untrusted code away from the powerful nodejs `require` function. isolated-vm starts from a fresh v8 isolate and lets you build an environment for the untrusted code from scratch.

I originally wrote this module for Screeps [] which is a massively-multiplayer online JS game. Screeps has the unique requirement of needing to run hundreds of persistent sandboxes for player-submitted code. They're currently running this module in production with promising results.

A new startup [] is also using this module to edge cache middleware. Their use case is a little different from Screeps, as each request to a middleware endpoint will use a fresh JS context, whereas Screeps tends to leave contexts alive for days at a time.

Anyway if this is interesting to you please check it out on github: or `npm install isolated-vm`. Note you will need a C++ compiler installed to build the project, instructions are available at . Also note that this is targeting nodejs version 8.


Jul 30, 2020, 8:12:34 PM7/30/20
to nodejs
Hey, thank you for making it open source
I am very curious about isolated-vm

You mentioned isolated-vm is better than instantiating new processes and sandboxing inside the main process. vm2 is popular for these use cases but there is one more problem with vm2
error handling is not isolated for unhandled promises you will have to catch error by process.('onUnhandledRejection', callback) which can't tell which sandbox threw that error

How isolated-vm overcomes these shortcomings?
Reply all
Reply to author
0 new messages