Deno Sandbox
by johnspurlock on 2/3/2026, 5:33:20 PM
https://deno.com/blog/introducing-deno-sandbox
Comments
by: simonw
Note that you don't need to use Deno or JavaScript at all to use this product. Here's their Python client SDK: <a href="https://pypi.org/project/deno-sandbox/" rel="nofollow">https://pypi.org/project/deno-sandbox/</a><p><pre><code> from deno_sandbox import DenoDeploy sdk = DenoDeploy() with sdk.sandbox.create() as sb: # Run a shell command process = sb.spawn("echo", args=["Hello from the sandbox!"]) process.wait() # Write and read files sb.fs.write_text_file("/tmp/example.txt", "Hello, World!") content = sb.fs.read_text_file("/tmp/example.txt") print(content) </code></pre> Looks like the API protocol itself uses websockets: <a href="https://tools.simonwillison.net/zip-wheel-explorer?package=deno-sandbox#deno_sandbox/sandbox.py--L187" rel="nofollow">https://tools.simonwillison.net/zip-wheel-explorer?package=d...</a>
2/3/2026, 6:27:48 PM
by: emschwartz
> In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder<p>> The real key materializes only when the sandbox makes an outbound request to an approved host. If prompt-injected code tries to exfiltrate that placeholder to evil.com? Useless.<p>That seems clever.
2/3/2026, 6:16:54 PM
by: dangoodmanUT
Love their network filtering, however it definitely lacks some capabilities (like the ability to do direct TCP connections to Postgres, or direct IP connections.<p>Those limitations from other tools was exactly why I made <a href="https://github.com/danthegoodman1/netfence" rel="nofollow">https://github.com/danthegoodman1/netfence</a> for our agents
2/3/2026, 8:54:21 PM
by: johnspurlock
"Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access.<p>This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration.<p>Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding."
2/3/2026, 5:33:20 PM
by: zenmac
>Deno Sandbox gives you lightweight Linux microVMs (running in the Deno Deploy cloud)<p>The real question is can the microVMs run in just plain old linux, self-hosted.
2/3/2026, 7:31:21 PM
by: ATechGuy
> allowNet: ["api.openai.com", "*.anthropic.com"],<p>How to know what domains to allow? The agent behavior is not predefined.
2/3/2026, 6:57:39 PM
by: latexr
> evil.com<p>That website does exist. It may hurt your eyes.
2/3/2026, 8:44:48 PM
by: ttoinou
What happens if we use Claude Pro or Max plans on them ? It’ll always be a different IP connecting and we might get banned from Anthropic as they think we’re different users<p>Why limit the lifetime on 30 mins ?
2/3/2026, 5:52:12 PM
by: koolala
The free plan makes me want to use it like Glitch. But every free service like this ever has been burned...
2/3/2026, 7:52:56 PM
by: nihakue
See also Sprites (<a href="https://news.ycombinator.com/item?id=46557825">https://news.ycombinator.com/item?id=46557825</a>) which I've been using and really enjoying. There are some key architecture differences between the two, but very similar surface area. It'll be interesting to see if ephemeral + snapshots can be as convenient as stateful with cloning/forking (which hasn't actually dropped yet, although the fly team say it's coming).<p>Will give these a try. These are exciting times, it's never been a better time to build side projects :)
2/3/2026, 6:29:41 PM
by: Tepix
If you can create a deno sandbox from a deno sandbox, you could create an almost unkillable service that jumps from one sandbox to the next. Very handy for malicious purposes. ;-)<p>Just an idea…
2/3/2026, 6:28:06 PM
by: MillionOClock
Can this be used on iOS somehow? I am building a Swift app where this would be very useful but last time I checked I don't think it was possible.
2/3/2026, 7:52:06 PM
by: mrpandas
Where's the real value for devs in something like this? Hasn't everyone already built this for themselves in the past 2 years? I'm not trying to sound cheeky or poo poo the product, just surprised if this is a thing. I can never read what's useful by gut anymore, I guess.
2/3/2026, 7:06:58 PM
by: eric-burel
Can it be used to sandbox an AI agent, like replacing eg Cursor or Openclaw sandboxing system?
2/3/2026, 8:33:00 PM
by: snehesht
50/200 Gb free plus $0.5 / Gb out egress data seems expensive when scaling out.
2/3/2026, 6:43:21 PM
by: e12e
Looks promising. Any plans for a version that runs locally/self-host able?<p>Looks like the main innovation here is linking outbound traffic to a host with dynamic variables - could that be added to deno itself?
2/3/2026, 6:19:01 PM
by: LAC-Tech
As a bit of an aside, I've gotten back into deno after seeing bun get bought out by an AI company.<p>I really like it. Startup times are now better than node (if not as good as bun). And being able to put your whole "project" in a single file that grabs dependencies from URLs reduces friction a surprising amount compared to having to have a whole directory with package.json, package-lock.json, etc.<p>It's basically my "need to whip up a small thing" environment of choice now.
2/3/2026, 8:16:11 PM
by: bopbopbop7
Now I see why he was on twitter saying that the era of coding is over and hyping up LLMs, to sell more shovels...
2/3/2026, 8:33:58 PM
by: ianberdin
Firecrackervm with proxy?
2/3/2026, 6:22:56 PM
by: andrewmcwatters
[dead]
2/3/2026, 5:57:34 PM