Security Vulnerability in your devDependencies (vm2) #565
Description
Security Vulnerability Alert for the verson of vm2 found in your devDependencies:
On 25 Jan 26, a GitHub project maintainer shared a critical flaw found in vm2, a popular NodeJS sandbox library.1 The vulnerability, tracked as CVE-2026-22709 (CVSS v3.1 score 9.8), arises from vm2’s failure to properly sandbox ‘Promises,’ the callback sanitization component that handles asynchronous operations, and could allow an attacker to escape the sandbox and run untrusted JavaScript code.2
(U) CVE-2026-22709 affects vm2 version 3.10.0, and has been fixed in versions 3.10.1, 3.10.2, and 3.10.3. Users are recommended to update to version 3.10.3, as it contains a more secure patch to avoid a potential bypass. As of 30 Jan 26, there is no evidence of active exploitation.
Please fix this.