Open Source

andbox

Sandboxed JavaScript runtime

Runs untrusted JavaScript in an isolated Web Worker with a structured RPC bridge back to the host — configurable rate limits, timeouts, and hard-kill semantics.

andbox runs untrusted JavaScript in an isolated Web Worker with a structured, capability-gated RPC bridge back to the host. You decide exactly which functions the sandboxed code can call — everything else is unreachable.

It supports import maps and virtual modules, enforces configurable rate limits and timeouts with hard-kill semantics, and has zero runtime dependencies.

  • Worker-based isolation
  • Capability-gated RPC bridge
  • Import maps & virtual modules
  • Zero dependencies