Hi everyone, I wanted to post a note about a module I've been tinkering with for a while. It gives you the ability to create isolated JavaScript environments in a nodejs application. You can use this to securely run untrusted code with strict limits on memory and CPU time usage. Additionally, this gives you the capability to run JS code in parallel in multiple threads in the same process.
Currently the only way to run untrusted code securely is to make a new process for your sandboxed code. This can be cumbersome to manage if you need to run a lot of sandboxes at the same time. There are also some solutions which will run the untrusted code within one nodejs process, but your code will end up sharing memory and garbage collection with the untrusted code which is no good. And all existing nodejs-based solutions rely heavily on proxied objects to keep untrusted code away from the powerful nodejs `require` function. isolated-vm starts from a fresh v8 isolate and lets you build an environment for the untrusted code from scratch.
I originally wrote this module for Screeps [
https://screeps.com/] which is a massively-multiplayer online JS game. Screeps has the unique requirement of needing to run hundreds of persistent sandboxes for player-submitted code. They're currently running this module in production with promising results.
A new startup
fly.io [
https://fly.io/] is also using this module to edge cache middleware. Their use case is a little different from Screeps, as each request to a middleware endpoint will use a fresh JS context, whereas Screeps tends to leave contexts alive for days at a time.