Bump the npm_and_yarn group across 3 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the /controller/web-server directory:

Package	From	To
protobufjs	7.2.6	7.5.6
yaml	1.10.2	1.10.3
ajv	6.12.6	6.15.0
ajv	8.12.0	8.20.0
brace-expansion	1.1.11	1.1.14
flatted	3.2.7	3.4.2
js-yaml	3.14.1	3.14.2
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
vm2	3.9.19	3.11.2

Bumps the npm_and_yarn group with 8 updates in the /controller/web-server/server directory:

Package	From	To
ajv	6.12.6	6.15.0
ajv	8.12.0	8.20.0
brace-expansion	2.0.1	2.1.0
brace-expansion	1.1.11	1.1.14
flatted	3.2.7	3.4.2
js-yaml	3.14.1	3.14.2
minimatch	5.1.6	5.1.9
minimatch	3.1.2	3.1.5
on-headers	1.0.2	1.1.0
picomatch	2.3.1	2.3.2
qs	6.11.0	6.14.2

Bumps the npm_and_yarn group with 12 updates in the /policy/frontend directory:

Package	From	To
yaml	1.10.0	1.10.3
ajv	6.12.6	6.15.0
brace-expansion	1.1.11	1.1.14
flatted	3.1.0	3.4.2
form-data	3.0.1	3.0.4
js-yaml	3.14.1	3.14.2
picomatch	2.2.2	2.3.2
cipher-base	1.0.4	1.0.7
follow-redirects	1.15.6	1.16.0
lodash	4.17.21	4.18.1
pbkdf2	3.1.1	3.1.5
sha.js	2.4.11	2.4.12

Updates protobufjs from 7.2.6 to 7.5.6

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

protobufjs: v7.5.4

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

protobufjs: v7.5.3

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

protobufjs: v7.5.2

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

protobufjs: v7.5.1

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

protobufjs: v7.5.0

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

7.5.0 (2025-04-15)

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)

... (truncated)

Commits

• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• 8af8d7c chore(ci): Fix 7.x release please configuration (#2169)
• e92ca42 chore(ci): Enable release-please for 7.x (#2166)
• b7bdfaf chore: release 7.5.5
• ff7b2af fix: filter invalid characters from the type name (#2127)
• 086b19d fix: do not allow setting proto in Message constructor (#2126)
• 827ff8e chore: release master (#2093)
• 5a3769a fix: invalid syntax in descriptor.proto (#2092)
• f42297b chore: release master (#2076)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Updates yaml from 1.10.2 to 1.10.3

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• See full diff in compare view

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates ajv from 8.12.0 to 8.20.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates undici from 5.28.4 to 6.19.7

Release notes

Sourced from undici's releases.

v6.19.7

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

v6.19.2

What's Changed

• fix #3337 by @​KhafraDev in nodejs/undici#3338
• build: use husky as husky install is deprecated by @​jazelly in nodejs/undici#3340
• fix: interceptors.d.ts has no default export by @​Uzlopak in nodejs/undici#3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

v6.19.1

What's Changed

• don't append empty origin by @​KhafraDev in nodejs/undici#3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

v6.19.0

What's Changed

• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in nodejs/undici#3305
• build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @​dependabot in nodejs/undici#3303
• build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @​dependabot in nodejs/undici#3304
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @​dependabot in nodejs/undici#3306
• build(deps): bump node from 9e8f45f to dd7e693 in /build by @​dependabot in nodejs/undici#3309
• build(deps): bump node from dd7e693 to e6d4495 in /build by @​dependabot in nodejs/undici#3313
• remove websocket experimental warning by @​KhafraDev in nodejs/undici#3311
• perf: optimization of request instantiation by @​tsctx in nodejs/undici#3107
• perf: convert object to params by @​DarkGL in nodejs/undici#3302
• build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @​dependabot in nodejs/undici#3320
• build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @​dependabot in nodejs/undici#3321
• fix: add missing error classes to types by @​maxbeatty in nodejs/undici#3316
• export interceptor to type def file by @​jakecastelli in nodejs/undici#3318
• build(deps): bump node from e6d4495 to 075a5cc in /build by @​dependabot in nodejs/undici#3326
• doc: clearify the behaviour of bodyTimeout in the request by @​jakecastelli in nodejs/undici#3324
• feature: support pre-shared sessions by @​tastypackets in nodejs/undici#3325

... (truncated)

Commits

• c81f5a7 Bumped v6.19.7
• 09c5667 build: remove -i flag to docker run to allow command being run without a TTY
• b9bf7ad Bumped v6.19.6
• 638ee32 fix: memory leak in finalization first appearing in v6.16.0 (#3445)
• 8499c4b Bumped v6.19.5
• 93605ab fix: restore externalized Node.js dep compatibility (#3421)
• 62241c3 Bumped v6.19.4
• e51aa88 Update esbuild to 0.19.10 (#3415)
• 99102cc Bumped v6.19.3
• b696a78 In CITGM, skip tests that are flaky there (#3413)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates vm2 from 3.9.19 to 3.11.2

Release notes

Sourced from vm2's releases.

v3.11.2

What's Changed

Security fixes

• GHSA-9vg3-4rfj-wgcm — Sandbox-realm null-proto write-through via bridge.from() set trap (RCE)
• GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed-key access on globalThis
• GHSA-9qj6-qjgg-37qq — Bridge saved-state leak via sandbox-installed Array.prototype[N] setter (RCE)

Documentation

• docs/ATTACKS.md updated through Category 28, plus a new Defense Invariant
  ("Bridge-internal containers must not invoke sandbox code").

Full Changelog: patriksimek/vm2@v3.11.1...v3.11.2

v3.11.1

Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.

Embedders running untrusted code with nesting: true should read the new README section.

What's Changed

Security fix

• GHSA-8hg8-63c5-gwmx — nesting: true bypassed require: false, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair { nesting: true, require: false } now throws VMError at new NodeVM(...) time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox.

Documentation

• New README section "nesting: true is an escape hatch" under Hardening recommendations. Spells out the inner-VM independence: a nested VM's require config is chosen by the sandbox code that constructs it, not constrained by the outer VM. Do not enable nesting: true for untrusted code.
• JSDoc on the nesting option (lib/nodevm.js) upgraded to match.
• docs/ATTACKS.md gains Category 25 documenting the configuration trap, plus a matching row in the "How The Bridge Defends" table.

Upgrade Notes

• If you set { nesting: true, require: false } anywhere in your codebase, new NodeVM(...) now throws. Either drop nesting: true (if you wanted deny-all), or replace require: false with an explicit require config (e.g. require: { builtin: [] }) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.
• No other configurations are affected. Bare new NodeVM({ nesting: true }) continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change nesting: true semantics substantially).

What This Fix Does NOT Close

nesting: true itself remains an escape hatch for any non-trivial require config. The fix closes the specific contradictory pair flagged by the advisory; the broader recommendation is in the new README section: do not enable nesting: true when running untrusted code. Constraint propagation from outer to inner NodeVM (where the outer's require config would constrain inner construction) was considered and deferred — it would change the documented semantics of nesting: true and is a major-version-shaped change.

Full Changelog: patriksimek/vm2@v3.11.0...v3.11.1

v3.11.0

Coordinated security release closing 13 advisories, plus a new bufferAllocLimit option and a realpath() method on the FileSystem adapter contract. Minor version bump because of the new public option and the FileSystem contract addition; no incompatible changes to the existing public API surface.

Embedders running untrusted code should upgrade. Several of the advisories close full sandbox-escape RCE primitives.

What's Changed

... (truncated)

Changelog

Sourced from vm2's changelog.

[3.11.2]

Three advisories closed. Patch release — no API changes.

Security fixes

• GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed property access on globalThis. The previous fix (GHSA-wp5r-2gw5-m7q7) tightened the transformer's identifier-rejection but left globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL'] and every reflective probe of the global object (bracket access, Reflect.get, Object.getOwnPropertyDescriptor, Object.getOwnPropertyNames enumeration) returning the live state object — the transformer is a syntactic gate and cannot see through dynamic property keys. Structural fix: the bootstrap script (vm.js's setupSandboxScript source) now declares let VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL at the script's top level, which lands the binding in the context's [[GlobalLexicalEnvironment]] — reachable as a bare identifier from every script (so transformer-emitted catch handlers still resolve), but absent from globalThis's own-property table (so every computed-key probe returns undefined). The defineProperty install in setup-sandbox.js is removed entirely; the bootstrap IIFE assigns into the outer let instead. Supersedes GHSA-wp5r-2gw5-m7q7's identifier-only mitigation by closing the entire computed-key class. ATTACKS.md Category 27.
• GHSA-9vg3-4rfj-wgcm — Sandbox breakout via null-proto throw / handleException. The post-GHSA-mpf8 hardening switched handleException and globalPromise.prototype.then onFulfilled to wrap caught/resolved values with bridge.from() for "symmetry". from() builds a sandbox-side proxy whose target the bridge treats as host-realm; calling it on a sandbox-realm null-proto value ({__proto__: null} thrown or Promise.resolve-d by sandbox JS) produced a proxy whose set trap unwrapped sandbox proxies of host references (e.g. Buffer.prototype.inspect) back to their raw host originals and stored them on the underlying sandbox object — readable via the original sandbox reference and pivot to host Function constructor → RCE. Three callsites in lib/setup-sandbox.js reverted to ensureThis() semantics; the host-Promise rejection sanitizer composes from() outside handleException so the GHSA-mpf8 invariant (host null-proto rejection values must reach sandbox callbacks bridge-wrapped) is preserved. ATTACKS.md Category 26.
• GHSA-9qj6-qjgg-37qq — sandbox breakout via the species-defense helper neutralizeArraySpeciesBatch. The helper appended saved-state records to a fresh [] literal that — being allocated by the sandbox-side bridge closure — inherited sandbox Array.prototype. A sandbox-installed setter on Array.prototype[N] therefore captured the next saved[saved.length] = c write and exposed c.arr (a host-realm proxy) directly to attacker code, leading to host Function extraction and RCE. Fixed in lib/bridge.js by writing every saved-state entry through thisReflectDefineProperty so the appended slot is an own data property and no Array.prototype[N] setter is ever invoked while the bridge holds raw saved state. ATTACKS.md gains a new Defense Invariant ("Bridge-internal containers must not invoke sandbox code") codifying the cross-cutting principle.

[3.11.1]

Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.

Security fix

• GHSA-8hg8-63c5-gwmx — nesting: true bypassed require: false, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair { nesting: true, require: false } now throws VMError at new NodeVM(...) time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox. ATTACKS.md Category 25.

Documentation

• New README section "nesting: true is an escape hatch" under Hardening recommendations. Explains that nesting: true lets sandbox code require('vm2') and construct nested NodeVMs whose require config is chosen by the sandbox (not constrained by the outer config — by design of nesting). Do not enable nesting: true for untrusted code.
• JSDoc on the nesting option (lib/nodevm.js) upgraded to spell out the escape-hatch semantics and the GHSA-8hg8 contradictory-pair rejection.
• ATTACKS.md gains Category 25 documenting the configuration trap and a matching row in the "How The Bridge Defends" table.

Upgrade notes

• If you set { nesting: true, require: false } anywhere in your codebase, new NodeVM(...) now throws. Either drop nesting: true (if you wanted deny-all), or replace require: false with an explicit require config (e.g. require: { builtin: [] }) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.
• No other configurations are affected. Bare new NodeVM({ nesting: true }) continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change nesting: true semantics substantially).

What this fix does NOT close

nesting: true itself remains an escape hatch for any non-trivial require config. The fix closes the specific contradictory pair flagged by the advisory; the broader recommendation is in the new README section: do not enable nesting: true when running untrusted code. Constraint propagation from outer to inner NodeVM (where the outer's require config would constrain inner construction) was considered and deferred — it would change the documented semantics of nesting: true and is a major-version-shaped change.

[3.11.0]

Coordinated security release closing 13 advisories, plus a new bufferAllocLimit option and a realpath() method on the FileSystem adapter contract. Minor version bump because of the new public option and the FileSystem contract addition; no incompatible changes to the existing public API surface. Embedders running untrusted code in memory-constrained environments should review the new bufferAllocLimit option and the README's Hardening recommendations section.

Upgrade notes

• Custom fs adapters with require.root must implement realpathSync (or realpath() on a fully custom FileSystem class). Without it, new NodeVM({require: {root, fs: customAdapter}}) now throws a VMError at construction, citing GHSA-cp6g-6699-wx9c. The eager probe converts what was previously silent deny-by-default at every later require() into a single, clearly-labelled construction-time error. Default fs users are unaffected — DefaultFileSystem and VMFileSystem ship realpath() out of the box.
• Embedders running untrusted async code should install a host-side unhandledRejection handler. The GHSA-hw58 fix closes synchronous executor throws but cannot reach async-function / async-generator / await using rejection paths (V8 creates rejection promises via the realm's intrinsic Promise). See README's Hardening recommendations and ATTACKS.md Category 22.
• Embedders running untrusted code in memory-constrained environments should opt into a finite bufferAllocLimit (e.g. 32 * 1024 * 1024) as part of layered DoS defense. Default remains Infinity for backwards compatibility.

Security fixes

• GHSA-grj5-jjm8-h35p — Array species self-return sandbox escape. Bridge apply and construct traps now neutralise host-array constructor and Symbol.species before every host call (and restore in a finally block). Direct write, Object.assign, non-configurable defineProperty, and prototype-level constructor variants all blocked.
• GHSA-v37h-5mfm-c47c — Handler reconstruction via util.inspect leak. Three-layer defense: closure-scoped construction token, getHandlerObject WeakMap guard, and .constructor sentinel rebind on every handler-class prototype (including BufferHandler).
• GHSA-qcp4-v2jj-fjx8 — Trap method on leaked handler with forged target. New handlerToTarget WeakMap pairs every handler with its canonical proxy target at construction; validateHandlerTarget(this, target) at the entry of every trap method rejects forged-this and forged-target invocations with VMError(OPNA).
• GHSA-47x8-96vw-5wg6 — Cross-realm symbol extraction from host objects. Two-layer defense: dangerous cross-realm symbols (nodejs.util.inspect.custom, nodejs.rejection, nodejs.util.promisify.custom) are filtered at the bridge boundary; structural identity collapse pre-populates the bridge identity caches for every built-in intrinsic prototype + constructor pair so prototype walks land on sandbox primordials.
• GHSA-55hx-c926-fr95 — Promise structural-leak / SuppressedError / AggregateError sanitisation. handleException now recurses into AggregateError.errors[] (in addition to SuppressedError.error/.suppressed); the bridge-level apply-trap recognises calls to host Promise.prototype.{then,catch,finally} by cached identity and pipes every sandbox callback through the same sanitiser.

... (truncated)

Commits

• 7a552e8 chore: bump to 3.11.2
• ca195f0 fix(GHSA-9qj6-qjgg-37qq): bridge saved-state leak via Array.prototype[N] setter
• 99d410b fix(GHSA-2cm2-m3w5-gp2f): bind internal state in GlobalLexicalEnvironment
• c33c2bb fix(GHSA-9vg3-4rfj-wgcm): null-proto throw write-through via bridge from()
• 46cbbdd fix(GHSA-8hg8-63c5-gwmx): reject contradictory { nesting: true, require: fals...
• fc0da54 fix: enhance CallSite path leak tests for Node 14+ and Node 16+ compatibility
• fca270d fix: ensure compatibility with Node 8 by replacing recursive mkdir with expli...
• 5cc3037 fix: update test pipeline
• 4e9fa06 chore: update mocha
• 865439d chore: bump to 3.11.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vm2 since your current version.

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates ajv from 8.12.0 to 8.20.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates brace-expansion from 2.0.1 to 2.1.0

Details

Description has been truncated