Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate VM2 #263

Open
3 tasks
helloanoop opened this issue Sep 30, 2023 · 5 comments · Fixed by #1400 · May be fixed by #1565
Open
3 tasks

Deprecate VM2 #263

helloanoop opened this issue Sep 30, 2023 · 5 comments · Fixed by #1400 · May be fixed by #1565
Labels
mid-term-goal Mid Term Goal module-scripting

Comments

@helloanoop
Copy link
Contributor

We've had great success with vm2 in running scripts inside a sandbox.
The project vm2 however has been currently discontinued and not recommended for production usage.

The recommended alternative is isolated-vm

We want to eventually move to an alternative that is being maintained. I don't want to rush at the moment. There are plenty more things that stack higher in priority.

Here is how an our tasklist to get this done should look like

  • a solid test suite that covers a lot of scripting capabilities
  • deprecate vm2, move to a isolated-vm, but allow users to fallback to vm2 via toggle if their tests start start failing
  • once the new vm is stable, drop vm2
@jonasgheer jonasgheer mentioned this issue Oct 7, 2023
Open
@Its-treason Its-treason mentioned this issue Nov 8, 2023
Closed
@Its-treason
Copy link
Member

I investigated isolated-vm and I don't think this is a viable replacement in our use case, because it does not support external or internal node modules like fs laverdet/isolated-vm#27.

@helloanoop
Copy link
Contributor Author

Thanks @Its-treason !

I am thinking that we can fork vm2 to bruno's org and release a version under the package @usebruno/vm2
This seems to me a good short term solution until we find a better one.

@Its-treason
Copy link
Member

This or using an existing fork like https://github.com/n8n-io/vm2 / https://www.npmjs.com/package/@n8n/vm2

This fork fixed both vulnerabilities with a workaround.

Its-treason added a commit to Its-treason/bruno that referenced this issue Jan 16, 2024
@Its-treason
fix(usebruno#263): Replace vm2 with fork of vm2 to fix security issues
9c137a3
@Its-treason Its-treason mentioned this issue Jan 16, 2024
Merged
helloanoop pushed a commit that referenced this issue Jan 16, 2024
@Its-treason
fix(#263): Replace vm2 with fork of vm2 to fix security issues (#1400)
4e34aba
@helloanoop
Copy link
Contributor Author

@Its-treason I have rolled back this PR since it was breaking scripting - #1487

@helloanoop helloanoop reopened this Jan 30, 2024
Its-treason added a commit to Its-treason/bruno that referenced this issue Feb 10, 2024
@Its-treason
fix(usebruno#263): Implement script- & test-runtime in node:vm
48baac8
@Its-treason Its-treason linked a pull request Feb 10, 2024 that will close this issue
Open
Its-treason added a commit to Its-treason/bruno that referenced this issue Feb 16, 2024
@Its-treason
fix(usebruno#263): Add node_modules resolution and fix testResults
3ee9466
Its-treason added a commit to Its-treason/bruno that referenced this issue Feb 18, 2024
@Its-treason
feat(usebruno#263): Delete old script runtime and use new runtime
5da7967
Its-treason added a commit to Its-treason/bruno that referenced this issue Feb 18, 2024
@Its-treason
feat(usebruno#263): Remove vm2
3868072
Its-treason added a commit to Its-treason/bruno that referenced this issue Mar 5, 2024
@Its-treason
fix(usebruno#263): Fix onConsoleLog for all CLI and Tests scripts
4e2a065
Its-treason added a commit to Its-treason/bruno that referenced this issue Apr 10, 2024
@Its-treason
feat(usebruno#263): Add feature flag for new runtime and fix some bugs
9bc11f1
Its-treason added a commit to Its-treason/bruno that referenced this issue Apr 11, 2024
@Its-treason
feat(usebruno#263): Add feature flag for new runtime and fix some bugs
e528a2f
@tonytvo
Copy link

tonytvo commented Aug 22, 2024

@helloanoop is there anything I can do to get this merged in?

@helloanoop helloanoop added the mid-term-goal Mid Term Goal label Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mid-term-goal Mid Term Goal module-scripting
Projects
None yet
Milestone
No milestone
4 participants
@helloanoop @tonytvo @Its-treason @anusree-bruno