langchain-ai/langchain-sandbox
1
0
Fork 0
mirror of https://github.com/langchain-ai/langchain-sandbox.git synced 2026-06-29 21:53:23 -04:00
Code Issues 28 Packages Projects Releases 6 Wiki Activity
42 Commits 32 Branches 6 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Eugene Yurtsev fac037cb46 Update README with maintenance notice and usage warning (#65) 
Added a notice about the lack of maintenance and production use
recommendation.

---------

Co-authored-by: Mason Daugherty <github@mdrxy.com>
Co-authored-by: Hunter Lovell <hunter@hntrl.io>
Co-authored-by: ccurme <chester.curme@gmail.com>
2026-01-14 13:49:31 -05:00
.github
x
2025-04-15 11:43:34 -04:00
examples
allow returning session bytes & metadata directly (#12)
2025-05-16 10:40:22 -04:00
libs
pyodide-sandbox-js: add makefile with test target (#52)
2025-07-09 14:38:23 -04:00
.gitignore
add codeact example (#8)
2025-04-25 09:41:13 -04:00
README.md
Update README with maintenance notice and usage warning (#65)
2026-01-14 13:49:31 -05:00
SECURITY.md
Add security.md (#32)
2025-05-20 22:49:39 -04:00

README.md

Warning

This package is no longer maintained. These days we recommend accessing code execution either through sandbox APIs or LLM provider APIs.

We do not recommend using langchain-sandbox for any production use cases. You are welcome to fork the code for your own use cases!

🛡️ LangChain Sandbox

A secure environment for running Python code using Pyodide (WebAssembly) and Deno

Python 3.10+ Deno License: MIT

📋 Overview

LangChain Sandbox provides a secure environment for executing untrusted Python code. It leverages Pyodide (Python compiled to WebAssembly) to run Python code in a sandboxed environment.

Key Features

  • 🔒 Security - Isolated execution environment with configurable permissions
  • 💻 Local Execution - No remote execution or Docker containers needed
  • 🔄 Session Support - Maintain state across multiple code executions

🛡️ Security Considerations

Warning

While LangChain Sandbox uses Pyodide and Deno to isolate code execution, the actual security guarantees depend on how you configure the sandbox and Deno permissions. If you grant broad permissions (such as host file system or unrestricted network access) via arguments passed to PyodideSandbox, sandboxed or untrusted code may access your host resources.

See the Deno Security Model documentation for details on configuring permissions securely. Carefully review and restrict permissions when running untrusted code.

Limitations

  • Latency: There is a few seconds of latency when starting the sandbox per run
  • File access: Currently not supported. You will not be able to access the files written by the sandbox.
  • Network requests: If you need to make network requests please use httpx.AsyncClient instead of requests.

🚀 Quick Install

  1. Install Deno (required): https://docs.deno.com/runtime/getting_started/installation/

  2. Install langchain-sandbox:

    pip install langchain-sandbox

💡 Example Usage

Warning

Use allow_net to limit the network requests that can be made by the sandboxed code to avoid SSRF attacks https://docs.deno.com/runtime/fundamentals/security/#network-access

from langchain_sandbox import PyodideSandbox

# Create a sandbox instance
sandbox = PyodideSandbox(
    # Allow Pyodide to install python packages that
    # might be required.
    allow_net=True,
)
code = """\
import numpy as np
x = np.array([1, 2, 3])
print(x)
"""

# Execute Python code
print(await sandbox.execute(code))

# CodeExecutionResult(
#   result=None, 
#   stdout='[1 2 3]', 
#   stderr=None, 
#   status='success', 
#   execution_time=2.8578367233276367,
#   session_metadata={'created': '2025-05-15T21:26:37.204Z', 'lastModified': '2025-05-15T21:26:37.831Z', 'packages': ['numpy']},
#   session_bytes=None
# )

Stateful Sandbox

If you want to persist state between code executions (to persist variables, imports, and definitions, etc.), you can set stateful=True in the sandbox. This will return session_bytes and session_metadata that you can pass to .execute().

Warning

session_bytes contains pickled session state. It should not be unpickled and is only meant to be used by the sandbox itself

sandbox = PyodideSandbox(
    # Create stateful sandbox
    stateful=True,
    # Allow Pyodide to install python packages that
    # might be required.
    allow_net=True,
)
code = """\
import numpy as np
x = np.array([1, 2, 3])
print(x)
"""

result = await sandbox.execute(code)

# Pass previous result
print(await sandbox.execute("float(x[0])", session_bytes=result.session_bytes, session_metadata=result.session_metadata))

#  CodeExecutionResult(
#     result=1, 
#     stdout=None, 
#     stderr=None, 
#     status='success', 
#     execution_time=2.7027177810668945
#     session_metadata={'created': '2025-05-15T21:27:57.120Z', 'lastModified': '2025-05-15T21:28:00.061Z', 'packages': ['numpy', 'dill']},
#     session_bytes=b'\x80\x04\x95d\x01\x00..."
# )

Using as a tool

You can use PyodideSandbox as a LangChain tool:

from langchain_sandbox import PyodideSandboxTool

tool = PyodideSandboxTool()
result = await tool.ainvoke("print('Hello, world!')")

Using with an agent

You can use sandbox tools inside a LangGraph agent:

from langgraph.prebuilt import create_react_agent
from langchain_sandbox import PyodideSandboxTool

tool = PyodideSandboxTool(
    # Allow Pyodide to install python packages that
    # might be required.
    allow_net=True
)
agent = create_react_agent(
    "anthropic:claude-3-7-sonnet-latest",
    tools=[tool],
)
result = await agent.ainvoke(
    {"messages": [{"role": "user", "content": "what's 5 + 7?"}]},
)

Stateful Tool

Important

Stateful PyodideSandboxTool works only in LangGraph agents that use the prebuilt create_react_agent or ToolNode.

If you want to persist state between code executions (to persist variables, imports, and definitions, etc.), you need to set stateful=True:

from langgraph.prebuilt import create_react_agent
from langgraph.prebuilt.chat_agent_executor import AgentState
from langgraph.checkpoint.memory import InMemorySaver
from langchain_sandbox import PyodideSandboxTool, PyodideSandbox

class State(AgentState):
    # important: add session_bytes & session_metadata keys to your graph state schema - 
    # these keys are required to store the session data between tool invocations.
    # `session_bytes` contains pickled session state. It should not be unpickled
    # and is only meant to be used by the sandbox itself
    session_bytes: bytes
    session_metadata: dict

tool = PyodideSandboxTool(
    # Create stateful sandbox
    stateful=True,
    # Allow Pyodide to install python packages that
    # might be required.
    allow_net=True
)
agent = create_react_agent(
    "anthropic:claude-3-7-sonnet-latest",
    tools=[tool],
    checkpointer=InMemorySaver(),
    state_schema=State
)
result = await agent.ainvoke(
    {
        "messages": [
            {"role": "user", "content": "what's 5 + 7? save result as 'a'"}
        ],
        "session_bytes": None,
        "session_metadata": None
    },
    config={"configurable": {"thread_id": "123"}},
)
second_result = await agent.ainvoke(
    {"messages": [{"role": "user", "content": "what's the sine of 'a'?"}]},
    config={"configurable": {"thread_id": "123"}},
)

See full examples here:

🧩 Components

The sandbox consists of two main components:

  • pyodide-sandbox-js: JavaScript/TypeScript module using Deno to provide the core sandboxing functionality.
  • sandbox-py: Contains PyodideSandbox which just wraps the JavaScript/TypeScript module and executes it as a subprocess.
Reference in New Issue View Git Blame Copy Permalink
S
Description
Safely run untrusted Python code using Pyodide and Deno
code-interpreterlangchainlanggraphllmllmspyodidepythonsandbox
Readme 430 KiB
Releases 6
Latest
2025-05-20 22:41:50 -04:00
Languages
Python 67.9%
TypeScript 28.2%
Makefile 3.9%