Sandboxed JavaScript runtime
Runs untrusted JavaScript in an isolated Web Worker with a structured RPC bridge back to the host — configurable rate limits, timeouts, and hard-kill semantics.
andbox runs untrusted JavaScript in an isolated Web Worker with a structured, capability-gated RPC bridge back to the host. You decide exactly which functions the sandboxed code can call — everything else is unreachable.
It supports import maps and virtual modules, enforces configurable rate limits and timeouts with hard-kill semantics, and has zero runtime dependencies.
Explore the full documentation, browse the source on GitHub, or see everything Erisera builds.