Comment by nine_k
15 days ago
What may be mysterious here? You can have multiple versions of Node installed if needed, and every app brings in the entire dependency tree, isolated from everything else.
If you trust your apps enough, you don't even need chroot.
I have much more peace of mind when it's not in chroot but even better inside systemd unit and all that ReadonlyPath and capabilities applied. In the ideal case network access beyond localhost and may be db is denied for greater safety
Sounds quite a bit like a container!