function

vm.runInThisContext

code: string,

): any;

vm.runInThisContext() compiles code, runs it within the context of the current global and returns the result. Running code does not have access to local scope, but does have access to the current global object.

If options is a string, then it specifies the filename.

The following example illustrates using both vm.runInThisContext() and the JavaScript eval() function to run the same code:

import vm from 'node:vm';
let localVar = 'initial value';

const vmResult = vm.runInThisContext('localVar = "vm";');
console.log(`vmResult: '${vmResult}', localVar: '${localVar}'`);
// Prints: vmResult: 'vm', localVar: 'initial value'

const evalResult = eval('localVar = "eval";');
console.log(`evalResult: '${evalResult}', localVar: '${localVar}'`);
// Prints: evalResult: 'eval', localVar: 'eval'

Because vm.runInThisContext() does not have access to the local scope, localVar is unchanged. In contrast, eval() does have access to the local scope, so the value localVar is changed. In this way vm.runInThisContext() is much like an indirect eval() call, e.g.(0,eval)('code').

Example: Running an HTTP server within a VM

When using either script.runInThisContext() or runInThisContext, the code is executed within the current V8 global context. The code passed to this VM context will have its own isolated scope.

In order to run a simple web server using the node:http module the code passed to the context must either import node:http on its own, or have a reference to the node:http module passed to it. For instance:

'use strict';
import vm from 'node:vm';

const code = `
((require) => {
const http = require('node:http');

  http.createServer((request, response) => {
    response.writeHead(200, { 'Content-Type': 'text/plain' });
    response.end('Hello World\\n');
  }).listen(8124);

  console.log('Server running at http://127.0.0.1:8124/');
})`;

vm.runInThisContext(code)(require);

The require() in the above case shares the state with the context it is passed from. This may introduce risks when untrusted code is executed, e.g. altering objects in the context in unwanted ways.

@param code

The JavaScript code to compile and run.

@returns

the result of the very last statement executed in the script.

Referenced types

interface RunningCodeOptions

breakOnSigint?: boolean
If true, the execution will be terminated when SIGINT (Ctrl+C) is received. Existing handlers for the event that have been attached via process.on('SIGINT') will be disabled during script execution, but will continue to work after that. If execution is terminated, an Error will be thrown.
cachedData?: ArrayBufferView<ArrayBufferLike>
Provides an optional data with V8's code cache data for the supplied source.
columnOffset?: number
Specifies the column number offset that is displayed in stack traces produced by this script.
displayErrors?: boolean
When true, if an Error occurs while compiling the code, the line of code causing the error is attached to the stack trace.
filename?: string
Specifies the filename used in stack traces produced by this script.
importModuleDynamically?: number | DynamicModuleLoader<Script>
Used to specify how the modules should be loaded during the evaluation of this script when import() is called. This option is part of the experimental modules API. We do not recommend using it in a production environment. For detailed information, see Support of dynamic import() in compilation APIs.
lineOffset?: number
Specifies the line number offset that is displayed in stack traces produced by this script.
timeout?: number
Specifies the number of milliseconds to execute code before terminating execution. If execution is terminated, an Error will be thrown. This value must be a strictly positive integer.