Module Loading

Sandboxed code can require() and import modules through secure-exec’s module resolution system.

node_modules overlay

Node runtime executions expose a read-only dependency overlay at /app/node_modules, sourced from <cwd>/node_modules on the host (default cwd is process.cwd()).

// Inside the sandbox, this resolves from the host's node_modules
const lodash = require("lodash");

Key constraints:

Overlay paths are read-only
Reads are constrained to canonical paths under <cwd>/node_modules (no symlink escapes)
Native addons (.node files) are rejected
Access outside overlay paths remains permission-gated

Configuring moduleAccess

Override the host directory used for the overlay:

import { createNodeDriver } from "secure-exec";

const driver = createNodeDriver({
  moduleAccess: {
    cwd: "/path/to/project",
  },
});

Module support tiers

Built-in modules fall into five support tiers:

Tier	Behavior	Examples
Bridge	Full implementation in secure-exec bridge	`fs`, `process`, `os`, `child_process`, `http`, `dns`
Polyfill	Browser-compatible polyfill	`path`, `buffer`, `url`, `events`, `stream`, `util`, `assert`
Stub	Minimal compatibility surface	`http2`, `crypto`, `v8`
Deferred	`require()` succeeds, APIs throw unsupported errors	`net`, `tls`, `readline`, `perf_hooks`, `worker_threads`
Unsupported	`require()` throws immediately	`dgram`, `cluster`, `wasi`, `inspector`

See the Node Compatibility page for the complete module matrix.

Getting Started

Runtimes

System Drivers

Features

Kernel

Reference

node_modules overlay

Configuring moduleAccess

Module support tiers

Getting Started

Runtimes

System Drivers

Features

Kernel

Reference

​node_modules overlay

​Configuring moduleAccess

​Module support tiers

node_modules overlay

Configuring moduleAccess

Module support tiers