Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

vm2

Package Overview
Dependencies
Maintainers
3
Versions
65
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

vm2 - npm Package Compare versions

Comparing version 3.9.6 to 3.9.7

8

CHANGELOG.md

@@ -0,1 +1,9 @@

v3.9.7 (2022-02-10)
-------------------
[fix] Allow relative require from base script
[fix] Fix issue with modules with exports clause in package json
[fix] Added missing whitelist check before custom require
[fix] Revert plain object toString behavior
[fix] Root path check improved
v3.9.6 (2022-02-08)

@@ -2,0 +10,0 @@ -------------------

3

lib/bridge.js

@@ -33,3 +33,2 @@ 'use strict';

'Promise',
'Object',
'Function'

@@ -52,2 +51,3 @@ ];

__proto__: null,
Object: Object.prototype,
Array: Array.prototype

@@ -932,2 +932,3 @@ };

thisAddProtoMapping(thisGlobalPrototypes.Object, otherGlobalPrototypes.Object);
thisAddProtoMapping(thisGlobalPrototypes.Array, otherGlobalPrototypes.Array);

@@ -934,0 +935,0 @@

2

lib/nodevm.js

@@ -392,2 +392,3 @@ 'use strict';

sandboxModule = new (this._Module)(resolvedFilename, dirname);
this._resolver.registerModule(sandboxModule, resolvedFilename, dirname, null, false);
}

@@ -401,2 +402,3 @@ } else {

sandboxModule = new (this._Module)(resolvedFilename, dirname);
this._resolver.registerModule(sandboxModule, resolvedFilename, dirname, null, false);
} else {

@@ -403,0 +405,0 @@ sandboxModule = new (this._Module)(null, null);

59

lib/resolver-compat.js

@@ -37,11 +37,15 @@ 'use strict';

function makeExternalMatcherRegex(obj) {
return escapeRegExp(obj).replace(/\\\\|\//g, '[\\\\/]')
.replace(/\\\*\\\*/g, '.*').replace(/\\\*/g, '[^\\\\/]*').replace(/\\\?/g, '[^\\\\/]');
}
function makeExternalMatcher(obj) {
const regexString = escapeRegExp(obj).replace(/\\\\|\//g, '[\\\\/]')
.replace(/\\\*\\\*/g, '.*').replace(/\\\*/g, '[^\\\\/]*').replace(/\\\?/g, '[^\\\\/]');
const regexString = makeExternalMatcherRegex(obj);
return new RegExp(`[\\\\/]node_modules[\\\\/]${regexString}(?:[\\\\/](?!(?:.*[\\\\/])?node_modules[\\\\/]).*)?$`);
}
class TransitiveResolver extends DefaultResolver {
class LegacyResolver extends DefaultResolver {
constructor(builtinModules, checkPath, globalPaths, pathContext, customResolver, hostRequire, compiler, externals) {
constructor(builtinModules, checkPath, globalPaths, pathContext, customResolver, hostRequire, compiler, externals, allowTransitive) {
super(builtinModules, checkPath, globalPaths, pathContext, customResolver, hostRequire, compiler);

@@ -51,2 +55,3 @@ this.externals = externals;

this.trustedMods = new WeakMap();
this.allowTransitive = allowTransitive;
}

@@ -60,3 +65,9 @@

if (!super.isPathAllowed(path)) return false;
if (mod && (mod.allowTransitive || path.startsWith(mod.path))) return true;
if (mod) {
if (mod.allowTransitive) return true;
if (path.startsWith(mod.path)) {
const rem = path.slice(mod.path.length);
if (!/(?:^|[\\\\/])node_modules(?:$|[\\\\/])/.test(rem)) return true;
}
}
return this.externals.some(regex => regex.test(path));

@@ -71,3 +82,4 @@ }

paths: this.genLookupPaths(path),
allowTransitive: (direct && trustedParent && trustedParent.allowTransitive) || this.externals.some(regex => regex.test(filename))
allowTransitive: this.allowTransitive &&
((direct && trustedParent && trustedParent.allowTransitive) || this.externals.some(regex => regex.test(filename)))
});

@@ -108,5 +120,10 @@ }

this.checkAccess(mod, filename);
const trustedMod = this.trustedMods.get(mod);
const script = this.readScript(filename);
vm.run(script, {filename, strict: true, module: mod, wrapper: 'none', dirname: trustedMod ? trustedMod.path : mod.path});
if (this.pathContext(filename, 'js') === 'sandbox') {
const trustedMod = this.trustedMods.get(mod);
const script = this.readScript(filename);
vm.run(script, {filename, strict: true, module: mod, wrapper: 'none', dirname: trustedMod ? trustedMod.path : mod.path});
} else {
const m = this.hostRequire(filename);
mod.exports = vm.readonly(m);
}
}

@@ -284,3 +301,9 @@

checkPath = (filename) => {
return checkedRootPaths.some(path => filename.startsWith(path));
return checkedRootPaths.some(path => {
if (!filename.startsWith(path)) return false;
const len = path.length;
if (filename.length === len) return true;
const sep = filename[len];
return sep === '/' || sep === pa.sep;
});
};

@@ -293,4 +316,12 @@ } else {

let externals = undefined;
let external = undefined;
if (customResolver) {
let externalCache;
newCustomResolver = (resolver, x, path, extList) => {
if (external && !(resolver.pathIsAbsolute(x) || resolver.pathIsRelative(x))) {
if (!externalCache) {
externalCache = external.map(ext => new RegExp(makeExternalMatcherRegex(ext)));
}
if (!externalCache.some(regex => regex.test(x))) return undefined;
}
const resolved = customResolver(x, path);

@@ -307,3 +338,2 @@ if (!resolved) return undefined;

let external;
let transitive = false;

@@ -317,10 +347,5 @@ if (Array.isArray(externalOpt)) {

externals = external.map(makeExternalMatcher);
if (transitive) return new TransitiveResolver(builtins, checkPath, [], () => context, newCustomResolver, hostRequire, compiler, externals);
const nextCheckPath = checkPath;
checkPath = (filename) => {
return nextCheckPath(filename) && externals.some(regex => regex.test(filename));
};
return new DefaultResolver(builtins, checkPath, [], () => context, newCustomResolver, hostRequire, compiler);
return new LegacyResolver(builtins, checkPath, [], () => context, newCustomResolver, hostRequire, compiler, externals, transitive);
}
exports.resolverFromOptions = resolverFromOptions;

6

lib/resolver.js

@@ -511,3 +511,3 @@ 'use strict';

if (!res) return undefined;
const scope = this.pathConcat(dir, res[0]);
const scope = this.pathConcat(dir, res[1]);
const pack = this.readPackage(scope);

@@ -520,3 +520,3 @@ if (!pack) return undefined;

// `package.json` "exports", ["node", "require"]) defined in the ESM resolver.
const match = this.packageExportsResolve(scope, '.' + res[1], pack.exports, ['node', 'require'], extList);
const match = this.packageExportsResolve(scope, '.' + (res[2] || ''), pack.exports, ['node', 'require'], extList);
// 6. RESOLVE_ESM_MATCH(MATCH)

@@ -782,3 +782,3 @@ return this.resolveEsmMatch(match, x, extList);

// 1. If p equals "default" or conditions contains an entry for p, then
if (p === 'default' || conditions.contains(p)) {
if (p === 'default' || conditions.includes(p)) {
// a. Let targetValue be the value of the p property in target.

@@ -785,0 +785,0 @@ const targetValue = target[p];

2

package.json

@@ -16,3 +16,3 @@ {

],
"version": "3.9.6",
"version": "3.9.7",
"main": "index.js",

@@ -19,0 +19,0 @@ "sideEffects": false,

3

README.md

@@ -380,2 +380,5 @@ # vm2 [![NPM Version][npm-image]][npm-url] [![NPM Downloads][downloads-image]][downloads-url] [![Package Quality][quality-image]][quality-url] [![Node.js CI](https://github.com/patriksimek/vm2/actions/workflows/node-test.yml/badge.svg)](https://github.com/patriksimek/vm2/actions/workflows/node-test.yml) [![Known Vulnerabilities][snyk-image]][snyk-url]

* It is not possible to define a class that extends a proxied class.
* Direct eval does not work.
* Logging sandbox arrays will repeat the array part in the properties.
* Source code transformations can result a different source string for a function.

@@ -382,0 +385,0 @@ ## Deployment

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc