Edge.js: Run Node apps inside a WebAssembly sandbox

Today we are incredibly excited to open source Edge.js, a JavaScript runtime specifically designed to safely run Node.js workloads for AI and Edge computing.

The goal is simple: run your existing Node.js applications safely and with density and startup times that are impossible to get with containers.

Edge.js takes a different approach from existing JS edge runtimes like Deno or Cloudflare Workers. Instead of introducing new APIs Edge.js preserves full Node compatibility and isolates the unsafe parts of execution using WebAssembly.

This allows existing Node.js applications and native modules to run unmodified while system calls and native modules are sandboxed through WASIX.

Edge.js is like Node.js: same architecture, same dependencies, and fully matching semantics.

Fully compatible with Node.js****Pluggable JS engine(V8, JavascriptCore or QuickJS)- Securely sandboxedwhen in--safe mode

TL;DR: all this means that you can now run your JS-based apps, MCPs, and agents safely sandboxed without Docker!

Edge.js story

In recent at Wasmer, we have been aiming to run JS and Node.js sandboxed via WebAssembly while also aiming to scale to millions serverlessly.

We don’t just need full Node.js compatibility, we also need to run it with great startup and runtime speeds comparable to other awesome serverless providers like Cloudflare Workers or Deno Deploy.

In the past we launched our own JS server for running WinterCG applications (WinterJS), matching Cloudflare’s and Deno’s offering. However, over time we realized this approach had two issues that prevented broad usage: speed, and compatibility of apps (very few frameworks support WinterCG).

This pushed us to start thinking of alternatives that could mix the sandboxing capabilities of WebAssembly and WASIX with the already hardened, product-ready JS runtimes.

The architecture was obvious in retrospect, but it took many months and different trials to discover the optimal path.

We made Edge.js possible by splitting the sandbox into two different silos:

JS engine: exposed via customnapi APIs. We already know JS is sandboxed by default, so no more hardening is needed for having JS fully sandboxed.OS system callsand native application code: isolation via WASIX (read a file, create a thread, doing network operations, …)

The great thing about this design is that we sandbox only what’s unsafe: the OS system calls and native logic. The rest of things will still go through a JS runtime natively, which is sandboxed by default.

This allowed Edge.js to provide full Node compatibility (v24). We also decided to use the same dependencies as Node is using (libuv as the event loop, simdutf for fast utf8, ada for URL parsing, llhttp for http parsing, ncrypto for encryption, ares for dns…), so behavior could be easily preserved.

Edge.js currently runs within ~5–30% of Node.js native speed JS when run using the --safe flag for sandboxing with significant improvements on the horizon.

Our goal is to make Edge.js the most friction-less and efficient runtime for Node workloads in sandboxed and serverless environments.

Why not use Node.js

Node.js is a great piece of software, it runs millions of servers, its fast and incredibly robust. However, Node.js has two architectural issues: is closely tied to a specific Javascript engine (V8), and unlike V8 it can’t run workloads safely without Containerization or hardware virtualization.

Tying the Node.js workloads to slow-to-startup containers was a no-go for our hosting offering, since it would decimate our fast startup and high-server-density requirements.

We needed an engine that allows for extremely high-density of applications running in the same server, that has fast startup times and that provides all this while also being fully sandboxed.

How Edge.js works

NAPI allows native Node dependencies to target Node without actually depending on a specific version of Node or V8. NAPI is the contract that all modern native Node modules use to interact with Javascript.

So we decided to bet on napi as the base abstraction layer of Edge.js (plus WASIX) to create the JS engine abstraction, while betting on WASIX for system call sandboxing.

Edge.js runs everything Node.js can run (we target Node.js v24 compatibility). No exceptions. It runs Next.js, Astro, and any other framework without any modifications whatsoever. Edge.js fully supports running Native modules as well, since all the modern native modules already target NAPI.