From CommonJS Spec Wiki
To be usable in secured module loaders, a module must conform to additional constraints:
- A module must not write to any free variables or their transitive members.
- A module must not refer to any free variables apart from primordials ("Object", "Array", etc. as defined by ECMAScript), "require", "environment", and "exports".
- A module must not tamper with (assign to, assign to members of, delete, or otherwise mutate) the transitive primordials.