You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+19-6Lines changed: 19 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,24 +18,29 @@
18
18
19
19
# Why isolated-function?
20
20
21
-
Sometimes your application needs to run JavaScript that did not come from your codebase.
21
+
Sometimes your application needs to let users customize a piece of behavior with JavaScript.
22
22
23
-
That code might come from an AI agent, a customer-defined workflow, a plugin, a webhook transform, or an automation rule. You want the useful part: let people customize behavior with code. You do not want the dangerous part: letting that code read files, spawn processes, install anything it wants, or run forever.
23
+
That code might be a function template for an AI agent, a customer-defined workflow, a plugin, a webhook transform, or an automation rule. You provide the shape of the function and the runtime context; users provide the custom logic. You want the useful part: programmable behavior without turning the rest of your application into the execution environment.
24
24
25
-
**isolated-function** gives you a small API for running that code in a separate Node.js process with clear limits:
25
+
**isolated-function** gives you a small API for turning user-customizable function templates into controlled executions:
26
26
27
-
- give it a function
27
+
- give it a function or generated function template
28
+
- pass runtime arguments into it
28
29
- choose what it is allowed to do
29
30
- set memory and timeout limits
30
31
- run it
31
32
- get back the result, logs, errors, and timing data
32
33
33
-
It is a sandbox for the kind of code you need to execute, but do not fully trust.
34
+
It is useful when your product needs user-defined logic, but you still want a narrow execution contract around what that logic can receive, return, import, and access.
34
35
35
36
# What it does
36
37
37
38
At a high level, isolated-function wraps a JavaScript function and runs it away from your main process.
38
39
40
+
The core use case is giving your product a controlled function template that users can customize. Your application owns the template, runtime arguments, dependencies, permissions, timeout, memory, result shape, logging, and cleanup. Users only customize the part of the function you intentionally expose.
41
+
42
+
This is the pattern used by [`@browserless/function`](https://github.com/microlinkhq/browserless/tree/master/packages/function): it lets users build functions that can access a Puppeteer `page` and related browser context, then runs those functions through isolated-function.
43
+
39
44
It can:
40
45
41
46
- run untrusted code in a separate process
@@ -47,7 +52,15 @@ It can:
47
52
- allow only the packages you explicitly trust
48
53
- return profiling data for compile, spawn, run, and total time
49
54
50
-
# Install
55
+
# What it is not
56
+
57
+
isolated-function is not a virtual machine, microVM, container runtime, or hypervisor-based sandbox.
58
+
59
+
It isolates JavaScript by running it in a separate Node.js process with Node.js permissions and resource limits. That is useful for many plugin, workflow, webhook, and AI-agent use cases, but it is not the same security boundary as KVM, Firecracker, Kata Containers, gVisor, or another VM-backed isolation layer.
60
+
61
+
If you need to execute hostile multi-tenant code, use isolated-function behind a stronger runtime boundary such as a locked-down container, gVisor, Kata Containers, Firecracker, or another hypervisor-backed execution environment.
Copy file name to clipboardExpand all lines: docs/README.md
+19-6Lines changed: 19 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,24 +18,29 @@
18
18
19
19
# Why isolated-function?
20
20
21
-
Sometimes your application needs to run JavaScript that did not come from your codebase.
21
+
Sometimes your application needs to let users customize a piece of behavior with JavaScript.
22
22
23
-
That code might come from an AI agent, a customer-defined workflow, a plugin, a webhook transform, or an automation rule. You want the useful part: let people customize behavior with code. You do not want the dangerous part: letting that code read files, spawn processes, install anything it wants, or run forever.
23
+
That code might be a function template for an AI agent, a customer-defined workflow, a plugin, a webhook transform, or an automation rule. You provide the shape of the function and the runtime context; users provide the custom logic. You want the useful part: programmable behavior without turning the rest of your application into the execution environment.
24
24
25
-
**isolated-function** gives you a small API for running that code in a separate Node.js process with clear limits:
25
+
**isolated-function** gives you a small API for turning user-customizable function templates into controlled executions:
26
26
27
-
- give it a function
27
+
- give it a function or generated function template
28
+
- pass runtime arguments into it
28
29
- choose what it is allowed to do
29
30
- set memory and timeout limits
30
31
- run it
31
32
- get back the result, logs, errors, and timing data
32
33
33
-
It is a sandbox for the kind of code you need to execute, but do not fully trust.
34
+
It is useful when your product needs user-defined logic, but you still want a narrow execution contract around what that logic can receive, return, import, and access.
34
35
35
36
# What it does
36
37
37
38
At a high level, isolated-function wraps a JavaScript function and runs it away from your main process.
38
39
40
+
The core use case is giving your product a controlled function template that users can customize. Your application owns the template, runtime arguments, dependencies, permissions, timeout, memory, result shape, logging, and cleanup. Users only customize the part of the function you intentionally expose.
41
+
42
+
This is the pattern used by [`@browserless/function`](https://github.com/microlinkhq/browserless/tree/master/packages/function): it lets users build functions that can access a Puppeteer `page` and related browser context, then runs those functions through isolated-function.
43
+
39
44
It can:
40
45
41
46
- run untrusted code in a separate process
@@ -47,7 +52,15 @@ It can:
47
52
- allow only the packages you explicitly trust
48
53
- return profiling data for compile, spawn, run, and total time
49
54
50
-
# Install
55
+
# What it is not
56
+
57
+
isolated-function is not a virtual machine, microVM, container runtime, or hypervisor-based sandbox.
58
+
59
+
It isolates JavaScript by running it in a separate Node.js process with Node.js permissions and resource limits. That is useful for many plugin, workflow, webhook, and AI-agent use cases, but it is not the same security boundary as KVM, Firecracker, Kata Containers, gVisor, or another VM-backed isolation layer.
60
+
61
+
If you need to execute hostile multi-tenant code, use isolated-function behind a stronger runtime boundary such as a locked-down container, gVisor, Kata Containers, Firecracker, or another hypervisor-backed execution environment.
0 commit comments