Skip to content

JavaScript Sandbox SDK v0.1.10

Latest

Choose a tag to compare

@Pangjiping Pangjiping released this 08 Jul 05:40
6c98cc6

What's New

Features

  • Added directory listing support through the new execd directory API. The SDK exposes depth-controlled traversal (depth defaults to 1 for immediate children) and a FileInfo.type field (file, directory, symlink, other). Symlinks are reported as symlinks and are not recursively traversed, and /files/info now reports symlinks as symlinks rather than resolving to the target type. #1001
  • Added line-based file reads through GET /files/download with offset (1-based line number) and limit (line count) query parameters, enabling callers to read large text files by line range. Mutually exclusive with the existing Range header. #1030
  • Added detailed replace-content feedback without breaking existing callers. The replace API now returns ContentReplaceResult[] exposing per-file replacedCount, so callers can detect no-match (0) and multi-match (>1) replacements. Callers not using the return value are unaffected. #991
  • Added Credential Vault support to the JS/TS SDK surface, including models, egress adapter, sandbox creation, unit tests, and E2E coverage. #1023
  • Added runOnce and withSession isolation convenience helpers. sandbox.isolation.runOnce(code, workspace, opts?) wraps create → run → delete into a single call with guaranteed cleanup, and sandbox.isolation.withSession(req, fn) scopes a multi-run isolated workflow with auto-delete on exit. Both are declared on the IsolationService interface; cleanup is best-effort so it never masks the original error. #1008 #1222
  • Added an LRU + TTL endpoint cache with in-flight request deduplication. The SDK now caches (sandbox_id, port, use_server_proxy) → Endpoint to avoid repeated resolution round-trips. It is enabled by default (TTL 600s, max size 1024) and tunable via ConnectionConfig; killing a sandbox actively invalidates its cached entries. #1133
  • Sandbox lifecycle responses now surface extensions. The JS/TS SDK response models expose opensandbox.extensions.* data returned by create/get/list so callers can read extension values round-tripped from the server. #1112
  • Added the optional resourceRequests field to sandbox creation. Kubernetes-backed sandboxes can now set resource requests separately from limits (enabling Burstable QoS). Omitting the field preserves the existing behavior where requests equal limits. #1074

Bug Fixes

  • Background command log polling now accepts a successful empty GET /command/{id}/logs response as an empty log chunk instead of throwing unexpected response shape, while still parsing the tail cursor header so callers can continue polling from the returned offset. #1013
  • Clarified deleteOnSandboxTermination semantics in the JS sandbox model: auto-created Kubernetes PVCs are now actually deleted on sandbox termination when opted in (previously the field was documented as Docker-only). Default remains false (opt-in), so existing behavior is unchanged. #880

Security

  • Patched transitive npm advisories as part of a cross-package Dependabot sweep, bumping undici to 8.5.0 (TLS bypass, DoS, cache poisoning, proxy reuse) and js-yaml to 5.2.0 (quadratic DoS) via pnpm.overrides. #1145

Misc

  • Deprecated the ports field on credential vault binding matches (CredentialMatch.ports). Port is now derived from the scheme (https → 443, http → 80), matching what the intercept layer actually redirects; values other than 80 or 443 are rejected by the server. The field is retained for backward compatibility but should no longer be set. #1189
  • Updated the JS SDK package manifest repository/issues metadata to the new opensandbox-group/OpenSandbox org so package pages point to the current repo (published package name unchanged). #1139
  • Regenerated the lifecycle client after the server dropped its unused PendingSandbox mechanism, and refreshed generated execd clients for the isolated replace-content surface. #1178 #1129 #1002
  • Bumped the JS Sandbox SDK package version to 0.1.10 and aligned the default User-Agent string with the released version. #1062 #1248

Contributors