DEV Community

Theodor Diaconu
Theodor Diaconu

Posted on

sandbox individual npm dependencies in your node app

#node #security

Node has process permission flags like allowNet, allowFsRead, etc. The catch is that they apply to your entire running app, and we all know dependencies can get... creative.

https://github.com/bluelibs/sandboxify
npm: sandboxify
Current version: 0.0.1

The idea is pretty simple: run selected packages in a separate Node child process with restricted permissions, while keeping your app code relatively normal. Under the hood, it creates RPC-like adapters so you can call into those sandboxed packages without having to redesign your app around workers or a custom RPC layer.

So instead of fully trusting every dependency, you can isolate the ones you’d rather keep on a shorter leash.

It can sandbox:

  • npm packages (including their dep trees)
  • local files
  • even local folders

This feels especially useful for things like PDF generation, HTML sanitizing, parsing, templating, and other workloads where:

  • the dependency does meaningful work per call
  • a little process-boundary/RPC overhead is acceptable
  • reducing the dependency’s permissions is worth it

Performance is definitely the main tradeoff, so I tried to design around that a bit. sandboxify supports batching, and one of the more practical patterns is to move heavier logic into a local file inside the same sandbox bucket so you can export a higher-level function and do fewer cross-process calls. In other words: less chatty RPC, more useful work per hop.

That said, one practical way to reduce the overhead is to move heavier logic into a local file, put that file in the same sandbox bucket, and export a higher-level function from there. That way, instead of doing lots of tiny cross-process calls, you do fewer, heavier ones.

It’s also still early. First-class support is for ESM, and CJS support currently works in a more hacky way. Even so, it already covers a lot of scenarios.

I put together a small example here you can start playing with it:
https://github.com/theodorDiaconu/sandboxify-test

So yeah, this project is still rough around the edges, but I think the model is promising: dependency-level sandboxing in Node, without having to rebuild everything around workers or hand-rolled RPC.

  • Is this something you’d actually use?
  • Which dependency types feel like the best fit?
  • What limitations would be a deal-breaker for you?

If nothing else, this has been a fun excuse to make untrusted code sit at the kids’ table.

Top comments (0)