Being able to run someone else's code without the negative consequences is the ultimate supply chain security. What if I told you it's possible? Limit access to globals for a package? Sure. Control if a package can access network or file system? Yup, that too. And no more prototype pollution. I'll start by replacing eval() with good(), get to TC39 proposals and then all the way back to what you can practically use soon or even right away!