js-vm

![NPM](https://www.npmjs.com/package/js-vm)
![Dependencies](https://david-dm.org/daluege/js-vm)
![Build status](https://travis-ci.org/daluege/js-vm)
![GitHub issues](https://github.com/daluege/js-vm/issues)
![Coding style](http://standardjs.com/)

js-vm is a highly secure, fully compatible implementation of the Node.js VM API in pure ECMAScript 5. It may be used as a vm shim in webpack. It has a footprint of 7KB and does not depend on browser technologies such as the DOM.

js-vm is designed with high demands in efficiency and security:

* Code is transpiled only on the basis of native RegExp tokenization
and no AST is created, increasing speed by a factor of 100K. Costs
of initialization are minimal, no iframe or similar is created at runtime.
* Security measures are designed to be immune to
extensions of the ECMAScript grammar (non-standard
extensions, future extensions). The package
works with standardized ES5 features only, making results highly
predictable and security best assessable.

Installation

Install this package using NPM:

npm install js-vm

Usage

``javascript var vm = require('js-vm'); var sandbox = { console };

vm.runInNewContext('console.log("Hello world")', sandbox);`

See the Node.js vm documentation.

`Method`

js-vmexecutes scripts subsequently in the same global scope. Noiframeor Web Worker is instantiated at runtime and execution is carried out solely by means ofeval execution of RegExp-transpiled code.

To achieve this, from the perspective of an executed script, built-in global objects (not the global object itself) are frozen. Any modifications on properties or sub-properties of built-in objects (such asObject.prototype.toString) will be discarded (see the behavior ofObject.freeze()).

js-vmwill not freeze any objects of the host script but will attempt to execute scripts in a separate global scope whenever technically viable (for example, by means of a hiddeniframethat is created only once and then reused).

`Comparison`

js-vm differs from vm in the following points:

`$3`

* All scripts run in _strict mode_ (or a superset, depending on browser support). * Built-in objects (Object, Array, Dateetc.) and their prototypes are immutable. This includes properties such asRegExp.lastMatch, which would normally change dynamically.

`$3`

* The timeout` option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.

License

js-vm

js-vm is designed with high demands in efficiency and security:

Installation

Install this package using NPM:

npm install js-vm

Usage

``javascript var vm = require('js-vm'); var sandbox = { console };

vm.runInNewContext('console.log("Hello world")', sandbox);`

See the Node.js vm documentation.

`Method`

`Comparison`

js-vm differs from vm in the following points:

`$3`

* The timeout` option limits the execution time of the script itself but also of functions defined in the script that are called once the main script has terminated, such as events, timeouts etc.