Running Python code in a sandbox with MicroPython and WASM
The idea of a truly secure, dependency-aware Python sandbox has been a mirage for years. We’ve shuffled between Docker containers with their bloat and attack surface, chroot jails with their fragility, and esoteric process isolation tools that never quite covered all the edges. Now, Simon Willison—the mind behind Datasette and a relentless toolmaker—has thrown his hat in with a radical proposition: WebAssembly running MicroPython. His new alpha package, `micropython-wasm`, isn’t just another att
Analysis
The idea of a truly secure, dependency-aware Python sandbox has been a mirage for years. We’ve shuffled between Docker containers with their bloat and attack surface, chroot jails with their fragility, and esoteric process isolation tools that never quite covered all the edges. Now, Simon Willison—the mind behind Datasette and a relentless toolmaker—has thrown his hat in with a radical proposition: WebAssembly running MicroPython. His new alpha package, micropython-wasm, isn’t just another attempt; it feels like the first one built from the ground up with the ruthless pragmatism of someone who’s actually been bitten by the problem.
The problem is specific and urgent. Willison builds beautiful, extensible tools whose power comes from plugins. But Pluggy, the elegant system that powers them, executes plugin code with the same privileges as the core application. A single rogue or sloppy plugin can nuke your database or phone home with your data. His sandbox isn’t an academic exercise; it’s a necessary fortification for his own creations, like Datasette Agent. This is a developer eating his own dog food and, crucially, building a better bowl to eat it from.
His checklist is a gauntlet that has defeated most previous solutions: install cleanly from PyPI without extra steps, enforce hard memory and CPU limits, lock down filesystem and network access, and still allow controlled interaction with the host. It’s a list that implicitly condemns the status quo. Docker doesn’t “install from PyPI.” Most process isolation tools fail at “support for interaction with host functions” without becoming complex security nightmares themselves. Willison is demanding a holy grail.
This is where WebAssembly stops being a niche technology for the browser and becomes the most interesting systems-level innovation in years. WASM’s sandbox is its core feature, not an add-on. It provides predictable, resource-constrained execution at the instruction-set level. By compiling MicroPython—a lean, efficient Python implementation—to WASM, you get a Python runtime that is born inside a cage. Memory is bounded by the WASM linear memory, the CPU is bound by the host’s scheduling, and filesystem and network access can be stubbed out or proxied by default. The architecture itself answers the first four items on Willison’s list with a blunt “that’s the point.”
The choice of MicroPython is both the smartest and most fascinating part of this bet. It’s not CPython. It lacks the vast ecosystem and some standard library modules. For many, that’s a dealbreaker. But for a sandbox, it’s a feature. You’re not trying to run arbitrary, complex scientific computing libraries inside a untrusted execution environment. You’re running small, composable scripts to transform data, query an API, or perform a quick calculation. MicroPython’s smaller footprint means a faster startup, a smaller WASM module, and a more predictable attack surface. It’s a deliberate trade of breadth for depth of security. Willison isn’t building a general-purpose Python cloud; he’s building a useful Python sandbox, which is a profound distinction.
The “vibe-coded” comment in his write-up is a stroke of disarming honesty. In an industry that often obscures complexity, he’s admitting this is an early, gut-feel experiment. But that’s also its strength. This isn’t a committee-designed, over-engineered standard from a cloud provider. It’s a tool forged by immediate necessity. The trust model is classic open source: here’s the code, here’s the reasoning, run it yourself. It’s a refreshing contrast to the opaque, “trust our managed service” approach that dominates cloud security. You can audit the very WASM sandbox that’s meant to protect you.
Where could this go wrong? The devil is in the details of the host functions bridge. How does the sandboxed code request a file read? What’s the API surface for network calls? If he gets this wrong, the sandbox becomes either useless (too restrictive) or leaky (too permissive). This is the delicate art of sandbox design. Furthermore, while WASM is portable, the actual security guarantees still depend on the host runtime and the underlying OS. It’s a chain of trust.
But consider the implication beyond plugins. Imagine Datasette itself: a user could write a SQL query and then a small Python function to process the results, all without ever leaving the web interface. The code executes, modifies nothing on the server, and vanishes. Or, consider the AI agent angle: an LLM generates Python code to manipulate data, and this sandbox executes it, guaranteeing that the model’s code can’t arbitrarily access your disk or network. This isn’t just about securing plugins; it’s about enabling a new category of interactive, code-driven applications that are safe by default.
Willison’s project quietly underscores a major shift in developer tooling. The most important infrastructure is becoming invisible, embedded, and secure by design. We’ve moved from “the server is the security boundary” to “the function is the security boundary,” and WASM is the hardware-level enabler of that idea. This MicroPython experiment is a live, working demo of that philosophy.
Ultimately, whether micropython-wasm becomes a widely adopted dependency or remains a brilliant niche tool for Datasette, its significance is larger. It’s a proof of concept that the long-promised promise of secure, portable, fine-grained code execution is finally being built by the people who need it most, using the technologies that make it feasible. It’s less a finished product and more a manifesto in code: the sandbox of the future should be lightweight, developer-friendly, and spun up from a single pip install. The race to build it just got a lot more interesting.
Disclaimer: The above content is generated by AI and is for reference only.