safeval · Secure JavaScript expression evaluator

Run untrusted JavaScript expressions safely using real V8 Isolates via isolated-vm.

Lightweight wrapper with two usage styles:

• One-shot safeval(code, state, options)
• Reusable new SafeLogic() instance (better performance when running many evaluations)

Features

• True memory & CPU isolation via V8 Isolates
• Strict timeout control
• Memory limit enforcement
• No access to Node.js globals, require, process, fetch, etc.
• Clean JSON-serializable input → result
• Automatic cleanup
• Per-call or instance-wide configuration
• TypeScript-ready (type declarations included)

Security Important

This library significantly reduces — but does not eliminate — the risks of running untrusted code.

• Only pass data through JSON-serializable objects
• Never inject functions or complex objects
• Always set reasonable timeout and memoryLimit
• Consider additional containment (Docker, gVisor, Firecracker) for very high-security use cases

Installation

npm install safeval isolated-vm
# or
yarn add safeval isolated-vm
# or
pnpm add safeval isolated-vm