HN
Today

Deno Sandbox

Deno unveils 'Sandbox,' a new product designed to securely run untrusted, often LLM-generated, code by providing isolated microVMs. It tackles the thorny issue of secret exfiltration and network egress control, enabling developers to integrate AI agents and user-generated code with confidence. This launch sparks discussion on novel security patterns, the 'build vs. buy' dilemma for common developer problems, and even the subtle linguistic tells of AI-assisted writing.

121
Score
39
Comments
#2
Highest Rank
8h
on Front Page
First Seen
Feb 3, 6:00 PM
Last Seen
Feb 4, 1:00 AM
Rank Over Time
32222434

The Lowdown

Deno Sandbox introduces a specialized solution for executing untrusted code, particularly prevalent in the new landscape of LLM-generated applications. It directly addresses the challenges of securely managing API keys and controlling network access when running code that may not be human-reviewed.

  • Secure MicroVMs: Provides lightweight Linux microVMs within the Deno Deploy cloud, booting in under a second for isolation.
  • Non-Exfiltratable Secrets: Secrets never directly enter the sandbox's environment; instead, a placeholder is used, and the real key only materializes for outbound requests to pre-approved hosts. This prevents secrets from being stolen, even if the code attempts to send the placeholder to malicious domains.
  • Granular Network Egress Control: Allows developers to explicitly list approved hosts for outbound network requests, blocking any communication to unlisted domains at the VM boundary.
  • Seamless Deployment: Features sandbox.deploy() to push code directly from the sandbox to Deno Deploy's production environment without intermediate steps.
  • Persistence Options: While ephemeral by default, it offers volumes for read-write storage and snapshots for pre-configured environments.
  • Use Cases: Positioned for AI agents, collaborative coding environments, secure plugin systems, and ephemeral CI runners.
  • Pricing: Usage-based, included in Deno Deploy plans, with competitive rates for CPU time, memory, and volume storage.

Deno Sandbox aims to provide a robust, secure, and efficient environment for modern applications dealing with dynamic, untrusted code, addressing critical security concerns in an AI-first development world.

The Gossip

Secrets and Secure Strategies

Commenters were particularly impressed by Deno Sandbox's approach to secrets, where API keys only materialize for approved outbound requests, preventing exfiltration. Many likened this to existing patterns like HTTP proxies (e.g., Fly's Tokenizer, Envoy), acknowledging it's a known technique but commending its elegant implementation and the convenience of integrating it directly into the sandbox. The general consensus was that while this doesn't prevent a malicious agent from *using* the secret, it effectively stops its *theft*.

Self-Hosting and Scope Squabbles

A significant thread revolved around whether the Deno Sandbox microVMs could be self-hosted or run locally, indicating a desire for more control and flexibility beyond the Deno Deploy cloud. There were also discussions on the `allowNet` feature, questioning how dynamic AI agents could realistically pre-define allowed domains. The Deno team confirmed plans to increase the default 30-minute sandbox lifetime.

The 'Everyone's Built This' Brouhaha

Several users provocatively asked if this wasn't a problem 'everyone' has already solved or built for themselves in the last two years, particularly given the explosion of AI agent development. This sparked a strong counter-argument that while many *try* to build similar solutions, a well-engineered, commercial product for a common pain point (like securely running untrusted code) provides immense value and indicates a genuine market need, especially for those who *haven't* built it or struggle to maintain it. A long list of similar sandboxing tools was provided to illustrate the crowded but active space.

LLM-Detecting Linguistic Leanings

A humorous meta-discussion emerged about the blog post's writing style, with some commenters remarking that certain phrases (like 'This isn't X. It's Y.') made them suspect the use of an LLM for writing or rewriting sections. The Deno team confirmed the author was human, leading to a lighthearted debate about how certain writing quirks are now being wrongly attributed to AI.