Deno
A secure runtime for JavaScript and TypeScript
BUT!!!
Importing from a URL
Deno lets you import from the web, just like you can in the browser. Just add a URL where you would usually name a module:
import { bgBlue, red, bold } from "https://deno.land/std/colors/mod.ts";
It has the possibility of being much secure than Node/NPM. Even if you allow network access, a script will not have access to the file system unless you also grant it file system access. The first time you run a script, you have the option of walking through everything in all the code which requires any additional permissions (file system, network, etc) and individually granting or denying access. Eventually, the goal is to allow for more fine grained access, e.g. scoping permissions to specific paths or specific URLs.
BUT!!!
why? how it could be secure?!
It's secure because networking and other stuff are sandboxed inside a Rust sandbox, and network connection has to be explicitly granted.
Yes "Deno is safe", but that does not mean that the scripts that you will use it to execute are also.
Deno allows you to execute a nuclear bomb detonator if you wish.
But unlike Node, Deno will prevent you from lauching the bomb inadvertently.
It's not, not unless you can pin a hash and limit hosts in configuration.
On the flip side, I don't think it's much worse than npm.
It has the possibility of being much secure than Node/NPM. Even if you allow network access, a script will not have access to the file system unless you also grant it file system access. The first time you run a script, you have the option of walking through everything in all the code which requires any additional permissions (file system, network, etc) and individually granting or denying access. Eventually, the goal is to allow for more fine grained access, e.g. scoping permissions to specific paths or specific URLs.
None of this is a silver bullet, but it's much better (more secure) than Node/NPM which just allows everything.