npm
Sign UpSign In

jsvm
TypeScript icon, indicating that this package has built-in type declarations

0.9.3 • Public • Published

jsvm

NPM Dependencies Build status Coding style

jsvm is a secure and fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It has a footprint of 7KB, does not depend on browser technologies such as the DOM. While jsvm can be used excellently as a webpack shim for vm, you just could use it instead of vm in Node.js, too.

jsvm has been designed with efficiency and security in mind:

  • Code is transpiled only on the basis of native RegExp tokenization and no AST is created, increasing speed by a huge factor. The cost of initialization is minimal, no iframe or similar is created at runtime.
  • Security measures are designed to be immune to extensions of the ECMAScript grammar (non-standard extensions, future extensions). The package works with standardized ES5 features only, making results predictable and security best assessable.

Installation

Install this package using NPM:

npm install jsvm

Usage

var vm = require('jsvm');
var sandbox = { console };
 
vm.runInNewContext('console.log("Hello world")', sandbox);

See the Node.js vm documentation.

Method

jsvm executes scripts subsequently in the same global scope. No iframe or Web Worker is instantiated at runtime and execution is carried out solely by means of eval execution of RegExp-transpiled code.

To achieve this, from the perspective of an executed script, built-in global objects (not the global object itself) are frozen. Any modifications on properties or sub-properties of built-in objects (such as Object.prototype.toString) will be discarded (see the behavior of Object.freeze()).

jsvm will not freeze any objects of the host script but create a separate global scope for execution of virtualized scripts as long as the executing environment makes it technically viable to create such a separate global scope. This is the case in Node.js and in a browser.

Comparison

jsvm differs from vm in the following points:

Limitations

  • All scripts run in strict mode (or a superset, depending on browser support).
  • Built-in objects (Object, Array, Date etc.) and their prototypes are immutable.

Intentional differences

  • The timeout option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.

License

© 2016 Filip Dalüge, all rights reserved.

Readme

Keywords

none

Package Sidebar

Install

npm i jsvm

Repository

github.com/daluege/jsvm

Homepage

github.com/daluege/jsvm

Weekly Downloads

6

Version

0.9.3

License

UNLICENSED

Last publish

Collaborators

  • daluege
Try on RunKit
Report malware