Overview
This document compares Node.js API support across secure-exec and three Cloudflare Workers deployment models:| Platform | Description |
|---|---|
| CF Workers | Standard Cloudflare Workers with nodejs_compat flag and compatibility date β₯ 2024-09-23. |
| CF Workers for Platforms | Multi-tenant variant where platform operators deploy user Workers into dispatch namespaces. Same V8 runtime as standard Workers; additional isolation constraints. |
| CF Dynamic Dispatch | The routing Worker that invokes user Workers in a Workers for Platforms namespace. Runs as a standard Worker with dispatch namespace bindings. |
nodejs_compat API surface. WfP adds operational restrictions (no caches.default, no request.cf without trusted mode, no gradual deployments, operator-enforced CPU/subrequest limits, outbound Worker interception) but no Node.js API differences.
Support Tier Legend
| Icon | Meaning |
|---|---|
| π’ | Supported: native or full implementation. |
| π΅ | Planned: not yet implemented; on the roadmap. |
| π‘ | Partial: functional with behavioral gaps or wrapper limitations. |
| βͺ | TBD: under consideration; not yet committed. |
| π΄ | Stub: requireable but most APIs throw on call. |
| β | Unsupported: not available; require() throws immediately. |
Module Compatibility Matrix
Core I/O and Networking
| Module | secure-exec | CF Workers (nodejs_compat) | Notes |
|---|---|---|---|
fs | π‘ Core I/O: readFile, writeFile, appendFile, open, read, write, close, readdir, mkdir, rmdir, rm, unlink, stat, lstat, rename, copyFile, exists, createReadStream, createWriteStream, writev, access, realpath. Missing: cp, glob, opendir, mkdtemp, statfs, readv, fdatasync, fsync. Deferred: watch, watchFile, chmod, chown, link, symlink, readlink, truncate, utimes. Full coverage planned. | π‘ In-memory VFS only. /bundle (read-only), /tmp (writable, ephemeral per-request), /dev devices. Missing: watch, watchFile, globSync, file permissions/ownership. All operations synchronous regardless of API style. Timestamps frozen to Unix epoch. 128 MB max file size. | secure-exec: Permission-gated; filesystem behavior determined by system driver (host FS or VFS). Read-only /app/node_modules overlay. CF: No persistent storage; /tmp contents isolated per request and lost after response; no real permissions or ownership. |
http | π‘ request, get, createServer with bridged request/response classes. Fetch-based, fully buffered. No connection pooling, no keep-alive tuning, no WebSocket upgrade, no trailer headers. Agent is stub-only. | π‘ request, get, createServer via fetch API wrapper. Requires extra compat flags. No Connection headers, no Expect: 100-continue, no socket-level events (socket, upgrade), no 1xx responses, no trailer headers. Agent is stub-only. | |
https | π‘ Same contract and limitations as http. | π‘ Same wrapper model and limitations as http. | |
http2 | π΄ Compatibility classes only; createServer/createSecureServer throw. | π΄ Non-functional stub. | Neither platform supports HTTP/2 server creation. |
net | π΅ Planned. | π‘ net.connect() / net.Socket for outbound TCP via Cloudflare Sockets API. No net.createServer(). | CF: Outbound TCP connections supported. secure-exec: On roadmap. |
tls | π΅ Planned. | π‘ tls.connect() for outbound TLS via Sockets API. No tls.createServer(). | CF: Outbound TLS supported. secure-exec: On roadmap. |
dns | π’ lookup, resolve, resolve4, resolve6, plus dns.promises. | π‘ DNS over HTTPS via Cloudflare 1.1.1.1. lookup, lookupService, resolve (generic) throw βNot implementedβ. | secure-exec: Permission-gated real DNS. CF: DoH only; core methods missing. |
dgram | β require() throws. | π΄ Non-functional stub. | Neither platform supports UDP sockets. |
Process and Runtime
| Module | secure-exec | CF Workers (nodejs_compat) | Notes |
|---|---|---|---|
process | π’ env (permission-gated), cwd/chdir, exit, timers, stdio event emitters, hrtime, platform, arch, version, argv, pid, ppid, uid, gid. | π‘ env, cwd/chdir, exit, nextTick, stdin/stdout/stderr, platform, arch, version. No real process IDs or OS-level user/group IDs. Requires extra enable_nodejs_process_v2 flag for full surface. | secure-exec: Configurable timing mitigation (freeze mode); real pid/uid/gid metadata. CF: Synthetic process metadata. |
child_process | π’ spawn, spawnSync, exec, execSync, execFile, execFileSync. fork unsupported. | π΄ Non-functional stub; all methods throw. | secure-exec: Bound to the system driver; subprocess behavior determined by driver implementation. CF has no subprocess support. |
os | π’ platform, arch, type, release, version, homedir, tmpdir, hostname, userInfo, os.constants. | π‘ Basic platform/arch metadata. | secure-exec: Richer OS metadata surface. |
worker_threads | β Stubs that throw on API call. | π΄ Non-functional stub. | Neither platform supports worker threads. |
cluster | β require() throws. | π΄ Non-functional stub. | Neither platform supports clustering. |
timers | π’ setTimeout, clearTimeout, setInterval, clearInterval, setImmediate, clearImmediate. | π’ Same surface; returns Timeout objects. | Equivalent support. |
vm | π΄ Browser polyfill via Function()/eval(). No real context isolation; shares global scope. | π΄ Non-functional stub. | Neither offers real vm sandboxing. secure-exec polyfill silently runs code in shared scope, not safe for isolation. |
v8 | π΄ Mock heap stats; serialize/deserialize use JSON instead of V8 binary format (bug). | π΄ Non-functional stub. | Neither exposes real V8 internals. secure-exec v8.serialize silently produces JSON, needs fix to use V8 structured serialization. |
Crypto and Security
| Module | secure-exec | CF Workers (nodejs_compat) | Notes |
|---|---|---|---|
crypto | π΅ Planned. Currently: getRandomValues() and randomUUID() use host node:crypto secure randomness. subtle.* throws unsupported errors. | π’ Full node:crypto surface (hash, HMAC, cipher, sign, verify, key generation). No DSA/DH key pairs, no ed448/x448, no FIPS mode. | CF: Comprehensive crypto support. secure-exec: Secure randomness today; full crypto planned. |
| Web Crypto | π΅ Planned. | π’ Available without nodejs_compat. | CF has native Web Crypto. |
| Fetch globals | π’ fetch, Headers, Request, Response. | π’ Supported. |
Data and Encoding
| Module | secure-exec | CF Workers (nodejs_compat) | Notes |
|---|---|---|---|
buffer | π’ Supported. | π’ Supported. | |
stream | π’ Supported. | π’ Supported. | |
string_decoder | π’ Supported. | π’ Supported. | |
zlib | π’ Supported. | π’ Supported; includes Brotli. | CF adds Brotli. |
querystring | π’ Supported. | π’ Supported. |
Utilities and Diagnostics
| Module | secure-exec | CF Workers (nodejs_compat) | Notes |
|---|---|---|---|
path | π’ Supported. | π’ Supported. | |
url | π’ Supported. | π’ Supported. | |
util | π’ Supported. | π’ Supported. | |
assert | π’ Supported. | π’ Supported. | |
events | π’ Supported. | π’ Supported. | |
module | π’ createRequire, Module basics, builtin resolution. | π‘ Limited surface. | secure-exec: CJS/ESM with createRequire. |
console | π’ Circular-safe bounded formatting; drop-by-default with onStdio hook. | π’ Supported; output routed to Workers Logs / Tail Workers. | |
async_hooks | βͺ TBD. | π΄ Non-functional stub. | |
perf_hooks | βͺ TBD. | π‘ Limited surface. | |
diagnostics_channel | βͺ TBD. | π’ Supported. | |
readline | βͺ TBD. | π΄ Non-functional stub. | |
tty | π΄ isatty() returns false; ReadStream/WriteStream throw. | π΄ Stub-like. | Both platforms are essentially non-functional beyond isatty(). |
constants | π’ Supported. | π’ Supported. | |
punycode | Not listed. | π’ Supported (deprecated). |
Unsupported in Both
| Module | secure-exec | CF Workers | Notes |
|---|---|---|---|
wasi | β Unsupported | β Unsupported | |
inspector | β Unsupported | π‘ Partial (Chrome DevTools) | CF has limited inspector via DevTools. |
repl | β Unsupported | π΄ Stub | |
trace_events | β Unsupported | β Unsupported | |
domain | β Unsupported | β Unsupported |
Execution Model Comparison
| Capability | secure-exec | CF Workers / WfP / Dynamic Dispatch |
|---|---|---|
| Isolation | V8 isolate. | V8 isolate per Worker invocation. |
| Permission model | Deny-by-default for fs, network, childProcess, env. Fine-grained per-domain policies. | No granular permission model. WfP adds request.cf restriction and cache isolation. |
| Memory limits | Configurable memoryLimit (MB). | 128 MB per Worker (platform-managed). |
| CPU time limits | Configurable cpuTimeLimitMs with exit code 124. | 10ms (free) / 30s (paid) CPU time; WfP operators can set custom limits. |
| Timing mitigation | freeze mode (deterministic clocks) or off (real-time). | I/O-gated coarsening: Date.now() and performance.now() only advance after I/O to mitigate Spectre-class side channels. |
| Module loading | CJS + ESM with package.json type field semantics; node_modules overlay. | ES modules primary; CJS via nodejs_compat; no node_modules overlay (bundled at deploy). |
| Subprocess execution | Bound to the system driver; subprocess behavior determined by driver implementation. | Not available. |
| Filesystem | System-driver-determined: host filesystem (permission-gated) or virtual filesystem, depending on driver implementation. Read-only /app/node_modules overlay. | Ephemeral VFS only; Durable Objects for persistence. |
| Payload limits | Configurable size limits on sandbox-to-host transfers. | 128 MB script size; request body limits per plan. |
| Logging | Drop-by-default; explicit onStdio hook for streaming. | Routed to Workers Logs / Tail Workers. |
Sources
- Cloudflare Workers Node.js Compatibility Docs
- A Year of Improving Node.js Compatibility (2025)
- Cloudflare Workers node:http Docs
- Cloudflare Workers node:fs Docs
- Cloudflare Workers node:crypto Docs
- Cloudflare Workers Compatibility Flags
- Cloudflare Workers Performance and Timers
- Mitigating Spectre: Cloudflare Workers Security Model
- Workers for Platforms Configuration
- Workers for Platforms Limits
- How Workers for Platforms Works
- Dynamic Dispatch Worker