Updating version of VM2 to ^3.9.19 - due to possible RCE issue with Promises (we do not allow async code, but there still could be a risk).

packages/server/package.json

@@ -111,7 +111,7 @@
     "to-json-schema": "0.2.5",
     "uuid": "3.3.2",
     "validate.js": "0.13.1",
-    "vm2": "3.9.17",
+    "vm2": "^3.9.19",
     "worker-farm": "1.7.0",
     "xml2js": "0.5.0",
     "yargs": "13.2.4"

packages/string-templates/package.json

@@ -29,7 +29,7 @@
     "dayjs": "^1.10.8",
     "handlebars": "^4.7.6",
     "lodash": "^4.17.20",
-    "vm2": "^3.9.15"
+    "vm2": "^3.9.19"
   },
   "devDependencies": {
     "@rollup/plugin-commonjs": "^17.1.0",

yarn.lock

@@ -21750,7 +21750,15 @@ vlq@^0.2.2:
   resolved "https://registry.yarnpkg.com/vlq/-/vlq-0.2.3.tgz#8f3e4328cf63b1540c0d67e1b2778386f8975b26"
   integrity sha512-DRibZL6DsNhIgYQ+wNdWDL2SL3bKPlVrRiBqV5yuMm++op8W4kGFtaQfCs4KEJn0wBZcHVHJ3eoywX8983k1ow==
 
-vm2@3.9.17, vm2@^3.9.15, vm2@^3.9.8:
+vm2@^3.9.19:
+  version "3.9.19"
+  resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.19.tgz#be1e1d7a106122c6c492b4d51c2e8b93d3ed6a4a"
+  integrity sha512-J637XF0DHDMV57R6JyVsTak7nIL8gy5KH4r1HiwWLf/4GBbb5MKL5y7LpmF4A8E2nR6XmzpmMFQ7V7ppPTmUQg==
+  dependencies:
+    acorn "^8.7.0"
+    acorn-walk "^8.2.0"
+
+vm2@^3.9.8:
   version "3.9.17"
   resolved "https://registry.yarnpkg.com/vm2/-/vm2-3.9.17.tgz#251b165ff8a0e034942b5181057305e39570aeab"
   integrity sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==