What does HackerNews think of quickjs-emscripten?

Javascript/Typescript bindings for QuickJS, a modern Javascript interpreter written in C by Fabrice Bellard.

Language: C

#85 in JavaScript
Why am I excited about WebAssembly? | Jul 2022
Expand Context ↕
QuickJS compiled to WASM seems like a pretty nice way of getting a sandboxed js environment: https://github.com/justjake/quickjs-emscripten.

Curious if people have seen any other routes to doing it via WASM.
Duktape is an embeddable JavaScript engine | Jul 2022
Tangentially related:

I maintain a library for using QuickJS, a JS interpreter with more modern language support, from NodeJS or the web called QuickJS-Emscripten: https://github.com/justjake/quickjs-emscripten

This was inspired by seeing Duktape WASM build on HN (https://github.com/maple3142/duktape-eval) and Figma's blogposts about building a Javascript plugin runtime:

- How Figma built the Figma plugin system: Describes the LowLevelJavascriptVm interface (https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...)

- An update on plugin security: Figma switches to QuickJS (https://www.figma.com/blog/an-update-on-plugin-security/)

Ask HN: What Happened to Evernote? | Apr 2022
Expand Context ↕
Have you considered adding a capability for plugins to draw HTML into an ? I'm always pondering such features, but I'm wary of letting a plugin potentially block the CPU forever with custom elements. I have a solution to plugin CPU blocking for pure API plugins (<a href="https://github.com/justjake/quickjs-emscripten" rel="nofollow"<span class="bg-orange-200 rounded px-1">https://github.com/justjake/quickjs-emscripten</span></a>) but not a way to meld it safely with HTML access.
Ask HN: Who wants to collaborate? | Feb 2022
I want the web to be more end-user programmable. Web apps big and small should offer plugin extension mechanisms! Ideally plug-ins are frictionless to author, and powerful enough to build fun UIs. Today, only really big premier apps like Figma and Google Docs have this kind of feature.

One problem is that it’s very difficult for an app to run arbitrary, untrusted user code in a way that’s secure and efficient, especially in the browser. Apps need to worry about XSS and unintended remote code execution, much less try adding those things as a feature.

I started working on a Typescript/WebAssembly library around the QuickJS JavaScript runtime to address this need. QuickJS runs modern ES2020 and provides an API for the host process to set CPU and memory budgets for the execution environment, which is completely sandboxed. My work so far exposes a basic interface to create VMs, expose APIs from the host to the guest, and evaluate code.

Repo: https://github.com/justjake/quickjs-emscripten

NPM: https://www.npmjs.com/package/quickjs-emscripten

Areas of work:

- Make the library importable as ES modules on the web without a Webpack build step.

- Design higher-level but still security-conscious APIs for building plugin systems on top of the existing library.

- Expose more QuickJS C APIs to library users.

- Performance or ergonomic improvements.

If you share any of these goals or would like to help out, please drop me a line on GitHub (eg by opening an issue), or via any of the links on my HN profile.

SpiderMonkey JavaScript/WebAssembly Engine | May 2021
Expand Context ↕
Why not have a look at QuickJs. I assume your reason is to run js in the browser in an isolated environment for security reasons? I’ve found this article from figma to be an excellent starting point [0] Also useful to consider this benchmark [1] of js runtimes.

We’ve found quickjs-emscripten [2] to work really well thus far. You can see my implementation of it here [3] in Lowdefy. If still has a few rough edges, so would be really keen to make it better.

I’m interested to know, is spidermonkey more comparable to V8 than QuickJs?

[0] - https://www.figma.com/blog/how-we-built-the-figma-plugin-sys... [1] - https://bellard.org/quickjs/bench.html [2] - https://github.com/justjake/quickjs-emscripten [3] - https://github.com/lowdefy/lowdefy/blob/main/packages/operat...
Evaluating JavaScript in the browser for a low code product | Jan 2021
Fairly certain you don't want to be throwing `eval` in your code.

I'm also building a workflow engine on the side, but don't want to see you run into security issues :)

Look into the realms TC39 proposal, the SES TC39 proposal, or running (no joke) a lightweight ES6 environment in webassembly to eval your code.

https://github.com/tc39/proposal-realms/#ecmascript-spec-pro...

https://github.com/tc39/proposal-ses

https://github.com/justjake/quickjs-emscripten

A small but complete JavaScript engine | Oct 2020
I’ve got a typescript library wrapping QuickJS if you don’t want to do the emscripten build or figure out the C API yourself: https://github.com/justjake/quickjs-emscripten
Show HN: Elsa is a minimal and secure QuickJS wrapper written in Go | Sep 2020
If you’re interested in using QuickJS yourself on the web or in node to implement untrusted JavaScript evaluation in your own (JavaScript) software, check out my library: https://github.com/justjake/quickjs-emscripten