!!! IMPORTANT !!! = Critical Security Advisories in dependency vm2

[Justman100]

Hi, when installing the dependencies, this pokes me in the eye:

formio-workers > vm2@3.9.19: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

For more details, see here and here


So, it will be recommed, to migrate vm2 code to isolated-vm

[Justman100]

@brendanbond @lane-formio @mikekotikov

[lane-formio]

@Justman100
Thank you for your vigilance. This is a very high priority vulnerability for us and we have a development effort dedicated to resolving this as soon as possible.

Edit: Attaching our internal ticket number for anyone else that may be tracking this issue through our support channels. FIO-7167

[RachelAmbler]

Any update on this?

[brendanbond]

Hi @RachelAmbler the next major release of our enterprise server product should have the required changes to our javascript execution contexts, we expect it very soon - thanks for your patience!

[travist]

There are 2 pull requests to watch for this resolution.

• Refactor validation processing #1682
• Formio-Vm integration #1684

We understand that this is a long time coming, but it did require us to refactor our server-side data processing system to make it work in a way that was performant and extensible. It is our #1 priority to resolve this issue so it is coming very soon.

[brendanbond]

Resolved by #1693, vm2 is no longer a dependency in master and upcoming tags