From 7090819752dc4623b09d695179a222abbaac0953 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Wed, 11 Oct 2023 18:43:25 +0100
Subject: [PATCH 1/2] Updating version of VM2 to ^3.9.19 - due to possible RCE
 issue with Promises (we do not allow async code, but there still could be a
 risk).

---
 packages/server/package.json           |  2 +-
 packages/string-templates/package.json |  2 +-
 yarn.lock                              | 10 +++++++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/packages/server/package.json b/packages/server/package.json
index bb9a80f721..f66e9346e1 100644
--- a/packages/server/package.json
+++ b/packages/server/package.json
@@ -111,7 +111,7 @@
     "to-json-schema": "0.2.5",
     "uuid": "3.3.2",
     "validate.js": "0.13.1",
-    "vm2": "3.9.17",
+    "vm2": "^3.9.19",
     "worker-farm": "1.7.0",
     "xml2js": "0.5.0",
     "yargs": "13.2.4"
diff --git a/packages/string-templates/package.json b/packages/string-templates/package.json
index 6780840ed3..d9f56442a0 100644
--- a/packages/string-templates/package.json
+++ b/packages/string-templates/package.json
@@ -29,7 +29,7 @@
     "dayjs": "^1.10.8",
     "handlebars": "^4.7.6",
     "lodash": "^4.17.20",
-    "vm2": "^3.9.15"
+    "vm2": "^3.9.19"
   },
   "devDependencies": {
     "@rollup/plugin-commonjs": "^17.1.0",
diff --git a/yarn.lock b/yarn.lock
index d8e1d41d56..a528ffa0bc 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -21750,7 +21750,15 @@ vlq@^0.2.2:
   resolved "https://registry.yarnpkg.com/vlq/-/vlq-0.2.3.tgz#8f3e4328cf63b1540c0d67e1b2778386f8975b26"
   integrity sha512-DRibZL6DsNhIgYQ+wNdWDL2SL3bKPlVrRiBqV5yuMm++op8W4kGFtaQfCs4KEJn0wBZcHVHJ3eoywX8983k1ow==
 
-vm2@3.9.17, vm2@^3.9.15, vm2@^3.9.8:
+vm2@^3.9.19:
+  version "3.9.19"
+  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.19.tgz#be1e1d7a106122c6c492b4d51c2e8b93d3ed6a4a"
+  integrity sha512-J637XF0DHDMV57R6JyVsTak7nIL8gy5KH4r1HiwWLf/4GBbb5MKL5y7LpmF4A8E2nR6XmzpmMFQ7V7ppPTmUQg==
+  dependencies:
+    acorn "^8.7.0"
+    acorn-walk "^8.2.0"
+
+vm2@^3.9.8:
   version "3.9.17"
   resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.17.tgz#251b165ff8a0e034942b5181057305e39570aeab"
   integrity sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==

From f958832e86b057b9a8a29e77b176aca0062a082a Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Wed, 11 Oct 2023 18:48:04 +0100
Subject: [PATCH 2/2] Removing dupe vm2

---
 yarn.lock | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index a528ffa0bc..81c2815663 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -21758,14 +21758,6 @@ vm2@^3.9.19:
     acorn "^8.7.0"
     acorn-walk "^8.2.0"
 
-vm2@^3.9.8:
-  version "3.9.17"
-  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.17.tgz#251b165ff8a0e034942b5181057305e39570aeab"
-  integrity sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==
-  dependencies:
-    acorn "^8.7.0"
-    acorn-walk "^8.2.0"
-
 vuvuzela@1.0.3:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/vuvuzela/-/vuvuzela-1.0.3.tgz#3be145e58271c73ca55279dd851f12a682114b0b"