Claude Code produced a six-way comparison of JavaScript sandboxing options after Simon Willison fed it a single research prompt inspired by Aaron Harper's post on Node.js worker threads.
The comparison covers isolated-vm, vm2, quickjs-emscripten, QuickJS-NG, ShadowRealm, and Deno Workers. Each has different security guarantees, performance tradeoffs, and maintenance status. vm2 is abandoned. isolated-vm uses V8 isolates for real memory separation. QuickJS runs a separate engine entirely. These are not equivalent choices.
The full research output lives on GitHub and is worth reading because the interesting part is not the conclusion but the criteria used to evaluate each option, and what Claude Code chose to investigate without being asked.
[READ ORIGINAL →]