fix(deps): update dependency vm2 to v3.10.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vm2	3.9.19 → 3.10.0

GitHub Vulnerability Alerts

CVE-2023-37466

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.

Impact

Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Patches

None.

Workarounds

None.

References

PoC - https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9

For more information

If you have any questions or comments about this advisory:

• Open an issue in VM2

Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.

---

Release Notes

patriksimek/vm2 (vm2)

v3.10.0

Compare Source

What's Changed

• Upstream security fixes @​netroy in #​540
• Modernization, added support for TypeScript compiler @​patriksimek in #​542

New Contributors

• @​netroy made their first contribution in #​540

Full Changelog: patriksimek/vm2@3.9.19...v3.10.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
vm2 @ 3.10.0 apps/core/package.json pnpm-lock.yaml				🔗

_{This report is generated by SafeDep Github App}