Is it though? I have not personally used these libraries, but a cursory google search reveals several options: - cloudflare/STPyV8: [0] From cloudflare, intended for executing untrusted code. - Pythonmonkey: [1] Embeds spidermonkey. Not clearly security focused, but sandboxing untrusted code is literally the point of browser js engines.

It's a little less clear how you would do this from node, but the v8 embedding instructions should work https://v8.dev/docs/embed even if nodejs is already a copy of v8.

[0]: https://github.com/cloudflare/stpyv8 [1]: https://docs.pythonmonkey.io

... whoa, I don't know how I missed it but I hadn't seen STPyV8 before.

I'd seen PyV8 and ruled it out as very unmaintained.

One of my requirements for a sandbox is that it needs to me maintained by a team of professionals who are running a multi-million dollar business on it. Cloudflare certainly count! I wonder what they use STPyV8 for themselves?

... on closer inspection it doesn't seem to have the feature I care most about: the ability to constrain memory usage (see comment here https://github.com/cloudflare/stpyv8/blob/57e881c7fbe178c598...) - and there's no built-in support for time limits either, you have to cancel tasks from a separate thread: https://github.com/cloudflare/stpyv8/issues/112

PythonMonkey looks promising too: the documentation says "MVP as of September 2024" so clearly it's intended to be stable for production use at this point.