[jitl]

The great thing about WASM is that you don’t need to audit the binary - just the code that touches the binary through the WebAssembly.* namespace. If the code looks too complicated, or exposes eval or equivalent capabilities like arbitrary JS function calls, then you should approach with caution and build yourself, etc etc.

Most WASM libraries I’ve considered using (and the one I package myself) use an off-the-shelf Emscripten wrapper minified with Google Closure Compiler. This is annoying to audit compared to plain JS, but certainly doable with a few rename-symbol in your editor.