[jcrites]

As a robust sandbox, have you considered using a micro-VM? Firecracker [1] comes to mind, the VM behind AWS Lambda. It's designed to be lightweight to launch, suitable for running ephemeral code.

While I agree that it'd be nice to be able to use WASM for this purpose, it seems like a microVM might provide a more convenient interface: you can "just" run any existing programming language inside it (without needing any specific support for e.g. WASM). Indeed, you could run multiple processes built with different programming languages together and allow them to communicate in standard ways.

Additionally, VMs offer a number of advantage from a security perspective. Hypervisor VMs take advantage of hardware support, and their surface area is arguably well-hardened and smaller than alternatives (hence why VMs are used for cloud computing).

> I've not found a good pattern for running a JavaScript interpreter in a WASM sandbox yet

Is there a good reason to do this? I thought WASM typically used the V8 JavaScript interpreter as its sandbox and to execute code. If you could launch WASM, couldn't you equivalently launch an instance of V8 with the JavaScript code running inside directly? I do think this is a good question, and it raises further questions like: what if I want to run JavaScript and WASM side-by-side, so that they can communicate with each other and/or with native code.

[1] https://firecracker-microvm.github.io/

[wikiwong]

Firecracker is a fine technology, but serverless companies have started taking advantage Wasm's faster start-up and invocation times for use cases of running Wasm on the server (https://www.youtube.com/watch?v=yqgCxhPAao0). The deny by default security policy makes Wasm a popular choice to run code in isolation, particularly for maximizing hardware resources in the multi-tenant environments these serverless companies operate.

> Is there a good reason to do this?

One use case to run JS inside a Wasm VM is Shopify Functions. Shopify allows their customers to customize things like checkout flow by writing code compiled to Wasm which gets executed during the checkout process. They want their customers to be able to write JS as well as other languages. https://github.com/Shopify/function-runner

> I thought WASM typically used the V8 JavaScript interpreter as its sandbox and to execute code.

V8 is popular for running Wasm on the web and for some serverless companies, but there are a bunch of serverless, blockchain, and iot projects that use other Wasm runtimes (Wasmtime, WAMR, WasmEdge, and Wasmer to name a few) - https://github.com/appcypher/awesome-wasm-runtimes