CLI 2 critical severity vulnerabilities

[bourpie]

trafficstars

When installing CLI on Node V. 18.14.1, I get this message

npm WARN deprecated [email protected]: The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider 
migrating your code to isolated-vm.

changed 146 packages, and audited 147 packages in 11s

34 packages are looking for funding
  run `npm fund` for details

2 critical severity vulnerabilities

[Its-treason]

vm2 has been deprecated for a while now, and we already planned to update to a different library here #263.

The vulnerabilities in vm2 allow for malicious code to escape the sandbox. I think if you only run trusted request scripts it should be fine for now, but we will definitely address this in the future.

[chriswarkentin]

I would say that this should be fairly high priority if you're looking to drive adoption. I'm evaluating Bruno to use at my workplace and things like that will definitely raise eyebrows. I wanted to test the cli but immediately uninstalled it when confronted by those security warnings.

[camba1]

Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing

[Its-treason]

Is there any progress on this? I love Bruno, but unfortunately cannot use the CLI until this is addressed and thus cannot use it to automate API testing

Not really, I opened a second PR that replaced vm2 with the native vm module. But this did not get any attention yet.