🚀 Lua Sandboxing
Published on March 12, 2026 by Mariusz Czupryna
I have spent the last two weeks working on integrating https://github.com/kyren/piccolo into Lux as our VM for executing untrusted Lua scripts. Today that PR was merged! 🎉🎉
With constant attacks on NPM and even recent attacks on less popular repositories like Emacs's MELPA, security is becoming more vital every day. As of v0.26.0, all rockspecs and manifests are placed in a strong sandbox, guarded from malicious bytecode, filesystem/network access, DoS attacks, evil dynamic libraries and more!
In the future, we'd like to pair Lux with native support for https://beta.luanox.org/, our WIP package hosting for Lua packages. Luanox is built with maximum security and zero-trust in mind - it's even resilient against a full leak of our internal databases as we don't store API keys nor other sensitive data.
With constant attacks on NPM and even recent attacks on less popular repositories like Emacs's MELPA, security is becoming more vital every day. As of v0.26.0, all rockspecs and manifests are placed in a strong sandbox, guarded from malicious bytecode, filesystem/network access, DoS attacks, evil dynamic libraries and more!
In the future, we'd like to pair Lux with native support for https://beta.luanox.org/, our WIP package hosting for Lua packages. Luanox is built with maximum security and zero-trust in mind - it's even resilient against a full leak of our internal databases as we don't store API keys nor other sensitive data.
Another positive effect of this change is that we no longer rely on mlua. This means that we can package Lux more easily for all platforms, and it now allows us to automatically download the appropriate version of the Lux loader for use in Lua REPLs.
We're always committed to ensuring security and usability in Lux. Stay safe and cheers to the next release 🍻
We're always committed to ensuring security and usability in Lux. Stay safe and cheers to the next release 🍻