Week of May 1, 2026

​

New features

await using sandbox = await Sandbox.builder("my-sandbox")
  .image("alpine:latest")
  .cpus(2)
  .create();

msb run alpine --name agent \
  --net-default-egress deny \
  --net-rule "allow@public,allow@host" \
  --net-rule "deny@private:tcp:445"

• Disk-image volume mounts. Attach qcow2, raw, or vmdk images as virtio-blk devices at any guest path; readonly is now consistent across volume types. See Sandbox volumes.
• Inline --script flag. Register scripts on the command line with --script NAME=BODY; the file form is now --script-path NAME:PATH. See the CLI reference.
• msb alias. Installs from npm, pip, and cargo now put both microsandbox and msb on PATH.
• host.microsandbox.internal. Sandboxes can reach the host through this well-known DNS name.
• Trust host CAs (opt-in). Sandboxes can trust the host’s CA bundle for internal TLS endpoints. See Networking TLS.
• DNS interception over TCP/53 and DoT/853. Closes gaps where apps bypassed policy by switching transports. See Networking DNS.
• Custom TLS certs and insecure registries for self-hosted image registries. See the images overview.
• Per-sandbox libkrunfw override for SDK callers developing against unreleased firmware.
• Installer rejects unsupported glibc up front, instead of producing confusing runtime errors.

​

Bug fixes

• Domain and suffix= rules now enforce consistently across DNS, SNI, and policy layers.
• The Node/TypeScript SDK supports the same secret injection options as the Rust SDK.
• macOS reads system nameservers via SCDynamicStore, matching what the OS actually uses.
• The npm platform package ships libkrunfw under its canonical name, fixing load failures on some Linux distros.