bruno icon indicating copy to clipboard operation
bruno copied to clipboard
verified publisher icon usebruno

Deprecate VM2

Open helloanoop opened this issue 2 years ago • 5 comments

We've had great success with vm2 in running scripts inside a sandbox. The project vm2 however has been currently discontinued and not recommended for production usage.

The recommended alternative is isolated-vm

We want to eventually move to an alternative that is being maintained. I don't want to rush at the moment. There are plenty more things that stack higher in priority.

Here is how an our tasklist to get this done should look like

  • [ ] a solid test suite that covers a lot of scripting capabilities
  • [ ] deprecate vm2, move to a isolated-vm, but allow users to fallback to vm2 via toggle if their tests start start failing
  • [ ] once the new vm is stable, drop vm2

helloanoop avatar Sep 30 '23 20:09 helloanoop

I investigated isolated-vm and I don't think this is a viable replacement in our use case, because it does not support external or internal node modules like fs https://github.com/laverdet/isolated-vm/issues/27.

Its-treason avatar Jan 14 '24 15:01 Its-treason

Thanks @Its-treason !

I am thinking that we can fork vm2 to bruno's org and release a version under the package @usebruno/vm2 This seems to me a good short term solution until we find a better one.

helloanoop avatar Jan 14 '24 16:01 helloanoop

This or using an existing fork like https://github.com/n8n-io/vm2 / https://www.npmjs.com/package/@n8n/vm2

This fork fixed both vulnerabilities with a workaround.

Its-treason avatar Jan 14 '24 20:01 Its-treason

@Its-treason I have rolled back this PR since it was breaking scripting - #1487

helloanoop avatar Jan 30 '24 18:01 helloanoop

@helloanoop is there anything I can do to get this merged in?

tonytvo avatar Aug 22 '24 20:08 tonytvo