Answering the security question specifically: v8 is a runtime and not a security boundary. Escaping it isn't trivial, but it is common [1]. You should still wrap it in a proper security boundary like gVisor [2].

The security claims from Cloudflare are quite bold for a piece of software that was not written to do what they are using it for. To steal an old saying, anyone can develop a system so secure they can't think of a way to defeat it.

1. https://www.cvedetails.com/vulnerability-list/vendor_id-1224...

2. https://gvisor.dev/

I find it funny how we've ended up here:

"Let's use containers, that way we aren't running unnecessary redundant kernels in each VM!"

later

"Oh shit, our containers share a kernel, let's add another kernel to each container to fix this!"

Maybe the next step is that we realize there's so many CPU bugs, that we really just need to give each container their own hardware :)

> Maybe the next step is that we realize there's so many CPU bugs, that we really just need to give each container their own hardware :)

I am reasonably sure that most of the micro services I write would be very happy running on a 400mhz CPU with a couple hundred megs of RAM, if they were rewritten in native code, or even just compiled to native code instead of being ran on top of Node. Throw it all on a minimal OS that provides networking and some file IO.

How much does it cost to manufacture 400mhz CPUs with onboard memory? Those must cost a few pennies each, throw in a 4GB SSD, preferably using SLC chips for reliability, and a NIC, and sell 4 "machine" clusters of them for ~$100 a pop.

> [...] if they were rewritten in native code, [...] Throw it all on a minimal OS that provides networking and some file IO.

You may want to check out MirageOS[0]. It gives you a library OS with the primitives you say you need, and then all you have to do is import them in your application code as if you are writing your typical OCaml, build the virtual appliance and boot it up anywhere you want.

[0] https://mirage.io/docs/overview-of-mirage

There's also https://github.com/includeos/IncludeOS

However, how much is this kind of stuff is actually used at scale today?