A lightweight library for secure Node.js code execution, secure-exec enables developers to run untrusted code, particularly for AI agents, without the overhead of containers or virtual machines. It offers a fast, resource-efficient, and flexible sandboxing solution that integrates directly within a Node.js process, simplifying deployment and reducing infrastructure complexity.

How It Works

This library leverages V8 isolates, the same primitive powering browser tabs and Cloudflare Workers, for robust code isolation. By avoiding full containers or virtual machines, secure-exec achieves significantly faster cold starts and drastically lower memory footprints per execution. It bridges essential Node.js APIs (like fs, child_process, http) to real host capabilities, enabling compatibility with standard npm packages and frameworks.

Quick Start & Requirements

• Install: npm install secure-exec
• Prerequisites: Node.js, Bun, or an HTML5 browser environment.
• Links: Documentation, API Reference, Discord, Benchmarks.

Highlighted Details

• Leverages native V8 isolates for JIT-compiled performance, offering median cold starts of 16.2 ms compared to ~440 ms for typical sandboxes.
• Minimal memory footprint per instance (~3.4 MB) versus ~256 MB for container-based sandboxes, enabling higher concurrency on the same hardware.
• Features a granular, deny-by-default permission model for filesystem, network, child processes, and environment variables, which are composable functions.
• Supports configurable resource limits (CPU time, memory) and deterministically terminates runaway code.
• Full Node.js compatibility, including fs, child_process, http, dns, process, and os, allowing execution of frameworks like Express, Hono, and Next.js.
• Designed for AI agents, integrating seamlessly with tools like the Vercel AI SDK and LangChain.

Maintenance & Community

• Active community support available via Discord.
• Project hosted on GitHub.
• No specific details on core maintainers, sponsorships, or roadmap were provided in the README excerpt.

Licensing & Compatibility

• License: Apache-2.0.
• Compatibility: Compatible with Node.js, Bun, and browsers. Allows running standard npm packages and frameworks like Express, Hono, and Next.js. Commercial use is permitted under the Apache-2.0 license.

Limitations & Caveats

Cloudflare Workers is explicitly not supported due to its lack of exposed V8 APIs required by secure-exec. For orchestrating stateful, long-running tasks, pairing with Rivet Actors is recommended for durability and fault tolerance. While it bridges Node.js APIs, it does not provide a full operating system environment, differentiating it from traditional VM or container-based sandboxes.