I'm building a sandboxed duktape application. The sanboxing doc (https://github.com/svaarala/duktape/blob/master/doc/sandboxing.rst) advises to remove the default require() implementation. I'm not clear why that is necessary. It seems that require() depends on modSearch() to determine what code to load and from where. If modSearch() doesn't permit loading data from anywhere that isn't permitted in the sandbox, is there anything else about the default require() implementation that is unsafe or gives cause for wariness?
The recommendation is there to emphasize that the default require() is not necessarily sandboxing safe (even if the current implementation was), so it's probably best to replace it when sandboxing against potentially untrusted code (at least if the code can be actively malicious rather than just accidentally broken).
That said I don't know of any concrete issues right now.