Usage in Deno
import { runInThisContext } from "node:vm";
runInThisContext(code: string,options?: RunningCodeOptions | string,): any
vm.runInThisContext()
compiles code
, runs it within the context of the
current global
and returns the result. Running code does not have access to
local scope, but does have access to the current global
object.
If options
is a string, then it specifies the filename.
The following example illustrates using both vm.runInThisContext()
and
the JavaScript eval()
function to run the same code:
const vm = require('node:vm'); let localVar = 'initial value'; const vmResult = vm.runInThisContext('localVar = "vm";'); console.log(`vmResult: '${vmResult}', localVar: '${localVar}'`); // Prints: vmResult: 'vm', localVar: 'initial value' const evalResult = eval('localVar = "eval";'); console.log(`evalResult: '${evalResult}', localVar: '${localVar}'`); // Prints: evalResult: 'eval', localVar: 'eval'
Because vm.runInThisContext()
does not have access to the local scope,localVar
is unchanged. In contrast,
eval()
does have access to the
local scope, so the value localVar
is changed. In this wayvm.runInThisContext()
is much like an indirect eval()
call, e.g.(0,eval)('code')
.
Example: Running an HTTP server within a VM
When using either script.runInThisContext()
or runInThisContext, the code is executed within the current V8 global
context. The code passed to this VM context will have its own isolated scope.
In order to run a simple web server using the node:http
module the code passed
to the context must either call require('node:http')
on its own, or have a
reference to the node:http
module passed to it. For instance:
'use strict'; const vm = require('node:vm'); const code = ` ((require) => { const http = require('node:http'); http.createServer((request, response) => { response.writeHead(200, { 'Content-Type': 'text/plain' }); response.end('Hello World\\n'); }).listen(8124); console.log('Server running at http://127.0.0.1:8124/'); })`; vm.runInThisContext(code)(require);
The require()
in the above case shares the state with the context it is
passed from. This may introduce risks when untrusted code is executed, e.g.
altering objects in the context in unwanted ways.
options: RunningCodeOptions | string
any
the result of the very last statement executed in the script.