Resurrection

[patriksimek]

This PR brings the security patches from various community forks back into the core.

The update is fully backward-compatible, all the way back to Node 6.

The motivation behind this work is the library’s enormous adoption - even two years after its deprecation.

With this patch, the digital world should be a slightly safer place 🌍

[Copilot]

Pull Request Overview

This PR restores the vm2 library by incorporating security patches from community forks, making it production-ready again. The update maintains backward compatibility with Node.js 6+ while adding modern features and fixing critical security vulnerabilities.

Key changes:

• Security patches applied across the codebase to prevent sandbox escapes
• Added TypeScript compiler support alongside existing CoffeeScript support
• Updated testing infrastructure to support both modern and legacy Node.js versions (6+)

Reviewed Changes

Copilot reviewed 24 out of 27 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/vm.js	Added conditional test execution helper, updated Node version checks, and expanded security vulnerability test coverage
test/nodevm.js	Added conditional test helper, replaced mocha with acorn in tests, and improved test compatibility
test/compilers.js	New test file for TypeScript and CoffeeScript compiler functionality
scripts/legacy-test-runner.js	New custom test runner for Node.js versions < 16 that lack modern test framework support
package.json	Updated dependencies, changed Node.js requirement from >=18 to >=6, added files whitelist, and new test scripts
lib/vm.js	Added compilerOptions parameter support
lib/script.js	Added compilerOptions property to VMScript
lib/nodevm.js	Added automatic compiler detection based on file extension (.ts, .cs)
lib/compiler.js	Added TypeScript compiler support, updated CoffeeScript compiler to accept options
lib/bridge.js	Added href property check for Node.js 22 compatibility
eslint.config.mjs	New ESLint configuration using flat config format
README.md	Complete rewrite removing deprecation notice, updating examples to ES modules, and documenting TypeScript support
LICENSE.md	Updated copyright year to 2025
CHANGELOG.md	Removed previous changelog entries
.travis.yml	Removed Travis CI configuration
.prettierrc	Added Prettier configuration
.npmignore	Removed file (replaced by files field in package.json)
.github/workflows/test.yml	New GitHub Actions workflow supporting Node.js 8-22
.github/workflows/node-test.yml	Removed old GitHub Actions workflow
.github/workflows/deploy-npm.yml	New npm publishing workflow
.github/stale.yml	Removed stale bot configuration
.eslintrc.js	Removed old ESLint configuration
.eslintignore	Removed ESLint ignore file
.editorconfig	Removed EditorConfig file

Comments suppressed due to low confidence (1)

README.md:1

• Corrected spelling of 'propert' to 'property' in the regex pattern.

# vm2 [![NPM Version][npm-image]][npm-url] [![NPM Downloads][downloads-image]][downloads-url] [![License][license-image]][license-url] [![Node.js CI](https://github.com/patriksimek/vm2/actions/workflows/test.yml/badge.svg)](https://github.com/patriksimek/vm2/actions/workflows/test.yml) [![Known Vulnerabilities][snyk-image]][snyk-url]

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.