fix: update package.json to patch 9.8 CVSS Critical vulnerability

[0x4248]

Fixes: 9.8 CVSS Critical vulnerability

Bump vm2 version in package.json

Please see:
https://security.snyk.io/vuln/SNYK-JS-VM2-5422057
patriksimek/vm2#516
GHSA-xj72-wvfv-8985
https://github.com/patriksimek/vm2/releases/tag/3.9.16

[vercel]

@awesomelewis2007 is attempting to deploy a commit to the Supaglue Team on Vercel.

A member of the Team first needs to authorize it.

[0x4248]

Notes from leesh3288 From here

Sandbox Escape in vm2@3.9.15

Summary

There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

const {VM} = require("vm2");
const vm = new VM();

const code = `
aVM2_INTERNAL_TMPNAME = {};
function stack() {
   new Error().stack;
   stack();
}
try {
   stack();
} catch (a$tmpname) {
   a$tmpname.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch pwned');
}
`

console.log(vm.run(code));

Analysis

As host exceptions may leak host objects into the sandbox, code is preprocessed with transformer() (lib/transformer.js:49) in order to instrument the code with sanitizer function calls (lib/transformer.js:108).

Identifier name of catch clause is interpolated into insertions as code (lib/transformer.js:137) to sanitize caught exception, possibly a host exception.

This is subsequently post-processed to replace $tmpname with the string value in tmpname (originally VM2_INTERNAL_TMPNAME) for ObjectPattern case >sanitization code (lib/transformer.js:189), which in turn allows an attacker to
bypass handleException() with identifiers containing the string $tmpname.

An attacker may then use any method to raise a host exception (test/vm.js:1082) for
example, via internal prepareStackTrace) and use it to access host Function constructor, escaping the sandbox and gaining arbitrary code execution in
host context.

Impact

Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.

Credits

Xion (SeungHyun Lee) of KAIST Hacking Lab

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
management-ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 16, 2023 5:48pm
supaglue-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 16, 2023 5:48pm

[lucasmarshall]

Thank you for this pull request, @awesomelewis2007! We will land it as soon as CI succeeds. Disturbing that this was not caught by Dependabot, especially since the CVE is a month old...

[0x4248]

Thank you for this pull request, @awesomelewis2007! We will land it as soon as CI succeeds. Disturbing that this was not caught by Dependabot, especially since the CVE is a month old...

Yes im seeing quite a few repository's not fixing this CVE