Today we’re excited to share that StackBlitz is now an official member of the Bytecode Alliance. This amazing rank of organizations is working together to create a faster, secure-by-default future for computing that leverages decades of experience doing so inside web browsers.
WebAssembly plays a key role in enabling this new future, and the Bytecode Alliance is tackling some of the greatest challenges to unlock widespread adoption of WebAssembly both inside and outside of browsers. Their work to date includes new standards such as the WebAssembly System Interface (WASI) and popular ecosystem tooling like wasmtime
or wit-bindgen
.
Lin Clark’s must-read post announcing the Bytecode Alliance offers a deep dive into the current security issues software toolchains face and the motivations and guiding principles of how the Bytecode Alliance aims to solve them. This quote captures it well:
Together, we’re putting in solid, secure foundations that can make it safe to use untrusted code, no matter where you’re running it — whether on the cloud, natively on someone’s desktop, or even on a tiny IoT device.
With this, developers can be as productive as they are today, using open source in the same way, but without putting their users at risk.
Why we’re joining
StackBlitz shares this same vision for secure WebAssembly-based computing. When we set out to build WebContainers, our WebAssembly-powered containerization technology, it was clear to us that something special was happening with WebAssembly and a different type of future was being unlocked. Millions of developers now use WebContainer environments on StackBlitz.com every month, but still, much remains to be done to bring this technology to all computing environments.
Being a part of this cross-industry partnership is enabling us to bring WebContainers more rapidly to all devices, languages, platforms, and runtimes.
In fact, we’ve already made progress in the short time since we joined:
- We’ve collaborated with the folks at Mozilla and begun enabling full support for WebContainers in Firefox
- We’re working with Shopify to leverage the power of WebAssembly environments to make deploying e-commerce applications simple and secure
- We’ve deepened our partnership with Google by providing feedback on new capabilities APIs and identifying key WebAssembly limitations
- We’ve begun R&D on bringing WebContainers to edge computing environments like Fastly Compute@Edge
- We’ve begun R&D on bringing Python, Ruby, and other languages to run on top of the WASI and WebContainers API surfaces
How we plan to contribute
We are standing on the shoulders of giants in the Bytecode Alliance who have been incredibly supportive of our mission and its execution. In turn, we also want to contribute, and we are uniquely able to do so in the following ways:
1. Help tighten the feedback loop for standards and implementors
The largest stress tests of computing platforms are often video games and IDEs. Both of these application types require API surfaces that only the most powerful, mature, and robust platforms can provide and thus, serve as a good “north star” for which platform vendors strive.
This is actually where WebAssembly originated. In the early 2010’s, Mozilla wanted to expand the web’s capabilities to enable desktop grade applications and started up their games program. In this article from IEEE, Luke Wagner explains their motivations:
“The thinking from team leader Martin Best of Mozilla was this: If we could make games run well on the Web, other computationally intensive applications would soon follow.”
Their work in this regard was wildly successful and ultimately led them to invent emscripten, asm.js
, and then WebAssembly itself. In turn, these technologies have now enabled video games to run inside browsers and also unlocked new productivity tools that made rich editing possible for graphics, videos, documents, and more.
However, IDEs pose additional sets of challenges beyond what games require such as some level of environment virtualization to enable developers to build the platform using the platform. This is a key stress test, and it’s why our work on WebContainers is unique in how it pushes the absolute limits of what WebAssembly and browser engines can do. This also means we’re often the first to run into critical platform bugs and limitations. Some examples of this include:
- Identifying and/or fixing mission critical bugs in browser engines, like recent issues with V8 WASM memory and threads in Firefox
- Pushing for standards that next-gen WebAssembly applications require, like COEP: credentialless and WebAssembly Threads
- Upstreaming our relevant knowledge & work on WebContainers to benefit standards, implementors, and ecosystem tooling
The faster these types of issues are identified and addressed, the faster our industry can unlock this new future. With millions of developers pushing the cutting edge of WebAssembly and browser engines on StackBlitz.com every month, we are uniquely positioned to help close this feedback loop and enable new types of computationally intensive applications to exist on the web.
2. Help the web ecosystem adopt WebAssembly and secure supply chains
We want secure WebAssembly-based environments to proliferate everywhere, without developers needing to rewrite their software. This can only be possible if the transition for developers is seamless and provides a better experience than native binaries. In general, this is StackBlitz’s guiding product philosophy: everything must be faster and more secure, by default.
Additionally, with the increase of npm supply chain attacks, JavaScript toolchains need to increase security posture. StackBlitz is one of the leaders in this area and we are committed to providing developers with the fastest and most secure environments, as well as upstreaming our knowledge and work to benefit the entire web ecosystem. Some examples of this include:
- WebContainers’ novel compute model, which is the first Node.js environment capable of executing 100% of third-party code within the browser security sandbox,
- Our embedded package manager Turbo, which is the first publicly available tool that solves the long unaddressed npm vulnerability that Sam Saccone reported over five years ago,
- Based on this foundational work, our team has upstreamed changes to Node.js core, paving a path to fully sandboxed execution in local environments.
- Our team has built deep domain expertise with Rust and WebAssembly, and we frequently help popular projects like Next.js create secure-by-default WebAssembly binaries that can run completely sandboxed.
This is just the beginning of our work in these areas and we are excited to share the breakthroughs and capabilities we have been working on over the coming months.
The future of computing
We are grateful to be a part of the Bytecode Alliance and excited to help make our shared vision a reality. If all goes as planned, this fourth decade of the web may be on the brink of getting really crazy, really fast.
You can learn more about the Bytecode Alliance and ways to get involved over at bytecodealliance.org.