Skip to content

Latest commit



72 lines (50 loc) · 3.2 KB

File metadata and controls

72 lines (50 loc) · 3.2 KB


Safely execute untrusted code with ESM syntax support, dynamic injection of ESM modules from URL or plain JS code, and granular access control based on whitelisting for each JS object.


  • ESM syntax: untrusted code can use import and export module syntax
  • Dynamic ESM module injection: easily inject modules dependencies from data: or http(s) URLs, or just plain JS code string
  • Granular access control: untrusted code has access only to whitelisted JS objects
  • Isomorphic: compatible with both browsers and Node.js
  • Queue: evaluations are automatically queued
  • Fast: leverage native import() syntax for code evaluation
  • Non-blocking: run code inside a module worker, off the main thread
  • Always terminable: terminate long running code at any time

Get Started

To install:

npm i --save @initminal/run


Create an evaluator and execute JS code:

const InitminalRun = createInitminalRun()
const result = await"export const initminal = 'hello world'")
// hello world


Try it out in the playground


Check out the documentation.

📢 Notice

  • 🎉 Firefox support:
    • Previous Firefox versions lacked the implementation of dynamic import() in workers, which this library requires.
    • However, the Implement Dynamic import for workers fix has been completed and is scheduled for release in version 113.
  • 🧪 Experimental status: this project is still considered unstable and breaking changes may occur (but only when unavoidable).

🔒 Security

  • The security of code evaluation using this library depends on the set of whitelisted JS objects.
  • The default list of accessible JS objects (subject to updates) should be considered safe for untrusted code.
  • IO objects such as fetch or indexedDB are NOT whitelisted by default. Untrusted code can access to host's data if they are manually whitelisted.
  • If you must use one or more I/O objects, consider combining another strategy, e.g. executing in an iframe sandbox.
  • in the future, proxy support for I/O actions might be implemented as a feature to enable safe I/O operations from untrusted code (contributions are welcome!).


  • Proxies for objects (e.g. fetch), to enable secure I/O operations.
  • Typescript support
  • Worker pool
  • Support other evaluation strategies, such as using WASM, other programming languages
  • ...feel free to suggests any new ideas!

Contributions are welcome!
