{"id":29962110,"url":"https://github.com/nyariv/sandboxjs","last_synced_at":"2026-03-13T14:01:15.388Z","repository":{"id":47562783,"uuid":"164193784","full_name":"nyariv/SandboxJS","owner":"nyariv","description":"Safe eval runtime","archived":false,"fork":false,"pushed_at":"2026-02-14T17:28:02.000Z","size":2694,"stargazers_count":202,"open_issues_count":10,"forks_count":17,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-27T05:37:22.231Z","etag":null,"topics":["ecmascript","expression-language","interpreter","javascript","parser","sandbox","security","vm"],"latest_commit_sha":null,"homepage":"https://nyariv.github.io/SandboxJS/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nyariv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-01-05T07:48:24.000Z","updated_at":"2026-02-26T01:08:39.000Z","dependencies_parsed_at":"2024-06-19T00:16:17.906Z","dependency_job_id":"08d2d26a-d485-484c-b854-4b052d53c046","html_url":"https://github.com/nyariv/SandboxJS","commit_stats":{"total_commits":240,"total_committers":3,"mean_commits":80.0,"dds":0.03749999999999998,"last_synced_commit":"f3168a8e90ad7a48babdf44322b31af90aeac1d1"},"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"purl":"pkg:github/nyariv/SandboxJS","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyariv%2FSandboxJS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyariv%2FSandboxJS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyariv%2FSandboxJS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyariv%2FSandboxJS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nyariv","download_url":"https://codeload.github.com/nyariv/SandboxJS/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nyariv%2FSandboxJS/sbom","scorecard":{"id":699784,"data":{"date":"2025-08-11","repo":{"name":"github.com/nyariv/SandboxJS","commit":"cd391a82f7908d49a0bf707769ae1d0260bb6f5e"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.1,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/deploy.yml:1","Warn: no topLevel permission defined: .github/workflows/npm-publish.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":6,"reason":"dependency not pinned by hash detected -- score normalized to 6","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/deploy.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/npm-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/npm-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/npm-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/npm-publish.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/npm-publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/nyariv/SandboxJS/test.yml/main?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   4 out of   4 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":4,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Warn: 'up-to-date branches' is disabled on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T04:55:52.101Z","repository_id":47562783,"created_at":"2025-08-22T04:55:52.101Z","updated_at":"2025-08-22T04:55:52.101Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30467872,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-13T11:00:43.441Z","status":"ssl_error","status_checked_at":"2026-03-13T11:00:23.173Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ecmascript","expression-language","interpreter","javascript","parser","sandbox","security","vm"],"created_at":"2025-08-04T00:01:09.668Z","updated_at":"2026-03-13T14:01:15.376Z","avatar_url":"https://github.com/nyariv.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![GitHub](https://img.shields.io/github/license/nyariv/SandboxJS)](https://github.com/nyariv/SandboxJS/blob/main/LICENSE) ![npm (scoped)](https://img.shields.io/npm/v/@nyariv/sandboxjs) ![Package size gzipped](https://img.shields.io/bundlephobia/minzip/@nyariv/sandboxjs) [![GitHub issues](https://img.shields.io/github/issues-raw/nyariv/SandboxJS)](https://github.com/nyariv/SandboxJS/issues) [![codecov](https://codecov.io/gh/nyariv/SandboxJS/branch/main/graph/badge.svg)](https://codecov.io/gh/nyariv/SandboxJS)\n\n# SandboxJS - Safe eval runtime\n\nThis is a javascript sandboxing library. When embedding any kind of js code inside your app (either web or nodejs based) you are essentially giving access to the entire kingdom, hoping there is no malicious code in a dependency such as with supply chain attacks. For securing code, sandboxing is needed.\n\n\u003e  a \"sandbox\" is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. - Wikipedia\n\nThere are many vulnerable modules available on the global scope of a js environment, and unfortunately it is way to easy to get access to that if 3rd party code is allowed to be included. The main way is through the `eval` or `Function` globals because they execute code in the global context. Trying to block access to some global components through proxies or limiting scope variables is fruitless because of one main issue: _every function inherits the `Function` prototype, and can invoke `eval` by calling its constructor_, essentially making `eval` at most two properties away from anything in js.\n\nExample:\n```javascript\n[].filter.constructor(\"alert('jailbreak')\")()\n```\n\nTo make matters worse, it is extremely difficult to blacklist functions because code is easily obfuscated. For example, it is possible to execute anything using only `(`, `)`, `[`, `]`, `!`, and `+`. ([source](http://www.jsfuck.com/))\n\n```javascript\n[+!+[]]+[] // This evaluates to the number one, go a head type that in console\n```\n\n**SandboxJS** solves this problem by parsing js code and executing it though its own js runtime, while in the process checking every single prototype function that is being called. This allows whitelisting anything and everything, regardless of obfuscation.\n\nThis means that you can potentially give different libraries different permissions, such as allowing `fetch()` for one library, or allowing access to the `Node` prototype for another, depending what the library requires and nothing more, and any objects that are gotten from the sandbox will remain sandboxed when used outside of it.\n\nAdditionaly, `eval` and `Function` are sandboxed as well, and can be used recursively safely, which is why they are considered safe globals in SandboxJS.\n\nThere is an `audit` method that will return all the accessed functions and prototypes during runtime if you need to know what permissions to give a certain library.\n\nSince parsing and executing are separated, execution with SandboxJS can be sometimes even faster than `eval`, allowing to prepare the execution code ahead of time.\n\n## Installation\n\n```\nnpm install @nyariv/sandboxjs\n```\n\n## Usage\n\nThe following is the bare minimum of code for using SandboxJS. This assumes safe whilelisted defaults.\n\n```javascript\nconst code = `return myTest;`;\nconst scope = { myTest: \"hello world\" };\nconst sandbox = new Sandbox();\nconst exec = sandbox.compile(code);\nconst result = exec(scope).run(); // result: \"hello world\"\n```\n\nIt is possible to defined multiple scopes in case you are reusing scopes with multiple layers.\n\n```javascript\nconst sandbox = new Sandbox();\n\nconst scopeA = {a: 1};\nconst scopeB = {b: 2};\nconst scopeC = {c: 3};\n\nconst code = `a = 4; let d = 5; let b = 6`;\nconst exec = sandbox.compile(code);\nexec(scopeA, scopeB, scopeC).run();\n\nconsole.log(scopeA); // {a: 4}\nconsole.log(scopeB); // {b: 2}\nconsole.log(scopeC); // {c: 3, d: 5, b: 6}\n```\n\nYou can set your own whilelisted prototypes and global properties like so (`alert` and `Node` are added to whitelist in the following code):\n\n```javascript\nconst prototypeWhitelist = Sandbox.SAFE_PROTOTYPES;\nprototypeWhitelist.set(Node, new Set());\n\nconst globals = {...Sandbox.SAFE_GLOBALS, alert};\n\nconst sandbox = new Sandbox({globals, prototypeWhitelist});\n```\n\nYou can audit a piece of code, which will permit all globals and prototypes but will return a json with accessed globals and prototypes over time.\n\n```javascript\nconst code = `console.log(\"test\")`;\nconsole.log(Sandbox.audit(code));\n```\n\n## Safe Globals\n\n- `globalThis`\n- `Function`\n- `eval`\n- `setTimeout` - excluded by default\n- `setInterval` - excluded by default\n- `clearTimeout` - excluded by default\n- `clearInterval` - excluded by default\n- `console`\n- `isFinite`\n- `isNaN`\n- `parseFloat`\n- `parseInt`\n- `decodeURI`\n- `decodeURIComponent`\n- `encodeURI`\n- `encodeURIComponent`\n- `escape`\n- `unescape`\n- `Boolean`\n- `Number`\n- `BigInt`\n- `String`\n- `Object`\n- `Array`\n- `Symbol`\n- `Error`\n- `EvalError`\n- `RangeError`\n- `ReferenceError`\n- `SyntaxError`\n- `TypeError`\n- `URIError`\n- `Int8Array`\n- `Uint8Array`\n- `Uint8ClampedArray`\n- `Int16Array`\n- `Uint16Array`\n- `Int32Array`\n- `Uint32Array`\n- `Float32Array`\n- `Float64Array`\n- `Map`\n- `Set`\n- `WeakMap`\n- `WeakSet`\n- `Promise`\n- `Intl`\n- `JSON`\n- `Math`\n\n# Safe Prototypes\n\n- `SandboxGlobal`\n- `Function`\n- `Boolean`\n- `Object`\n- `Number`\n- `BigInt`\n- `String`\n- `Date`\n- `RegExp`\n- `Error`\n- `Array`\n- `Int8Array`\n- `Uint8Array`\n- `Uint8ClampedArray`\n- `Int16Array`\n- `Uint16Array`\n- `Int32Array`\n- `Uint32Array`\n- `Float32Array`\n- `Float64Array`\n- `Map`\n- `Set`\n- `WeakMap`\n- `WeakSet`\n- `Promise`\n\n## Goals\n\n|Feature|Status|\n|---|---|\n|Prototype access protection|done|\n|Globals access protection|done|\n|Prototype proxying|done|\n|Single line sandboxing|done|\n|Multi line sandboxing|done|\n|Functions support|done|\n|Audit prototype and globals access|done|\n|Code blocks (try/catch, ifs, and loops)|done|\n|Async/await|done|\n|Execution time protection|done|\n|Extensibility|done|\n|Full ECMAScript support|90%|\n|Script source and import sandboxing|Won't fix - handled by 3rd party|\n|DOM ownership and inherited permissions|See [scope-js](https://github.com/nyariv/scope-js)|\n|Tests|done|\n\n📋 **[ECMAScript Feature Implementation Status](TODO.md)** - See which JavaScript features are supported and tested (~90% of core ES5-ES2018 features)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnyariv%2Fsandboxjs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnyariv%2Fsandboxjs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnyariv%2Fsandboxjs/lists"}