npm
Sign UpSign In

js-vm
TypeScript icon, indicating that this package has built-in type declarations

0.1.4 • Public • Published

js-vm

NPM Dependencies Build status GitHub issues Coding style

js-vm is a highly secure, fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It may be used as a vm shim in webpack. It has a footprint of 7KB and does not depend on browser technologies or the DOM.

js-vm is designed with high demands in efficiency and security:

  • Code is transpiled only on the basis of native RegExp tokenization and no AST is created, increasing speed by a factor of 100K. Costs of initialization are minimal, no iframe or similar is created at runtime.
  • Security measures are designed to be immune to extensions of the ECMAScript grammar (non-standard extensions, future extensions). The package works with standardized ES5 features only, making results highly predictable and security best assessable.

Installation

Install this package using NPM:

npm install js-vm

Usage

var vm = require('js-vm');
var sandbox = { console };
 
vm.runInNewContext('console.log("Hello world")', sandbox);

See the Node.js vm documentation.

Method

js-vm executes scripts subsequently in the same global scope. No iframe or Web Worker is instantiated at runtime and execution is carried out solely by means of eval execution of RegExp-transpiled code.

To achieve this, from the perspective of an executed script, built-in global objects (not the global object itself) are frozen. Any modifications on properties or sub-properties of built-in objects (such as Object.prototype.toString) will be discarded (see the behavior of Object.freeze()).

Considering the modification of built-in prototypes an anti-pattern in a modularized ECMAScript ecosystem anyway, we regard the increased strictness enforced by js-vm as an improvement for code quality.

js-vm will not freeze any objects of the host script but will attempt to execute scripts in a separate global scope whenever technically viable (for example, by means of a hidden iframe that is created only once and then reused).

Comparison

js-vm differs from vm in the following points:

Limitations

  • All scripts run in strict mode (or a superset, depending on browser support).
  • Built-in objects (Object, Array, Date etc.) and their prototypes are immutable. This includes properties such as RegExp.lastMatch, which would normally change dynamically.

Extensions

  • The timeout option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.

License

© 2016 Filip Dalüge, all rights reserved.

Readme

Keywords

none

Package Sidebar

Install

npm i js-vm

Repository

github.com/daluege/js-vm

Homepage

github.com/daluege/js-vm

Weekly Downloads

8

Version

0.1.4

License

UNLICENSED

Last publish

Collaborators

  • daluege
Try on RunKit
Report malware