I only found mention of v8-isolate when searching for it specifically. Coming up in only https://blog.cloudflare.com/serverless-performance-compariso... and a few comments on HN. I don't see any description of its use other than a summary of 'we use v8 isolates', which begs a /r/restofthefuckingowl. Even an interview with KV doesn't reveal much. https://softwareengineeringdaily.com/wp-content/uploads/2018... Isolate also doesn't do anything for sandboxing from what I can tell. Cloudflare quotes 'That said, we have added additional layers of our own sandboxing on top of V8.' I do not see any actual technical information on how they're using v8.

v8 and by extension isolated-vm by itself does not cover things like fetch if we're talking JS. https://github.com/laverdet/isolated-vm/issues/63 This is an immediete killer as js browser features are part of why a js engine is wanted.

Having node handling these things is a time bomb of debugging where instead of debugging v8 you're debugging node. There are node version problems with stability as mentioned on the isolate-vm readme.

DOS goes beyond just CPU time and memory. Wasm is being treated as an environment of its own with some lower level accessibility. Unless the API allows feature whitelisting - I can't find any docs relating to that - then I don't see anything stopping thread creation. I'd be interested to know how cloudflare prevents these features. isolate-vm doesn't appear to interact with the v8 api with options relating to this.

Fly.io has their fly engine meant for local development so you can deploy onto their servers. https://github.com/superfly/fly