replace VM2 #6
Description
VM2 is known insecure, I should probably switch to v8-isolate or QuickJS.
However, do we even really need it? Since all queries are run inside a worker thread, can we isolate that well enough?
TODO: figure out what globals are available in a worker thread in node, see if we can limit access to them, or remove them before running untrusted code.
See also: https://stackoverflow.com/questions/5408406/web-workers-without-a-separate-javascript-file?rq=1