Lucas

I think the only way is very heavyweight that is to basically interpret JS yourself, or to replace Functions constructions with a custom implementation (such as inject variable and parse...

@sand1er the code does the following: - Escape the context by using constructors, because the objects still have constructors you can use to go out, because the constructor of `this`...

Same issue seems to got found in MathJS by @CapacitorSet ( https://capacitorset.github.io/mathjs/ ) some time ago. I am emailing gf3 (and npm) to try to claim the name so a...

I think a vm2 port for browsers would not be possible, as no new contexts can be made. Depending on the goal of such sandbox, other methods (like iframes) could...

There is a workaround, but you cant have any (dynamic) external values. ``` var vm = require("vm"); var context = vm.createContext(Object.create(null)); var corescript = ""; // Here I pollyfill everything...

Then you need to be VERY careful with the operations called in the output... you cant just out.toString() or util.inspect, you need to set right options to avoid running code...