There's a Dependabot PR open for bumping vm2 from 3.9.17 to 3.9.18. This would resolve the critical CVE in vm2 3.9.17 that currently affects this repo. It would be great to get this merged ASAP.

Ah, I see that the release 23.1 branch removes vm2 altogether.

Hi Zack,
Thanks for pointing out.
Yes we are in the process of releasing a new version that even removes completely vm2. It would be ready soon.
Regards

Hi again,
We have just released version 1.7.3 on npm. Please check it out.
This version removes entirely vm2 dependency so the CVE does not longer apply on it.
Regards.

Hi again,
We have just released version 1.7.3 on npm. Please check it out.
This version removes entirely vm2 dependency so the CVE does not longer apply on it.
Regards.

This worked as expected – thank you!