patriksimek/vm2

v3.10.0 introduced a breaking change

Open

#543 opened on Nov 4, 2025

View on GitHub
 (1 comment) (0 reactions) (0 assignees)JavaScript (3,798 stars) (285 forks)batch import
bugconfirmedhelp wanted

Description

With our use case we use webpack to bundle code into a single script. This happens with any package that uses inherits or the nodejs util.inherits.

With https://github.com/patriksimek/vm2/pull/540 this broke usage of these packages and it will result in this line throwing https://github.com/patriksimek/vm2/blob/main/lib/setup-sandbox.js#L561.

I am unsure if this change is for security reasons as the PR doesn't go into details.

Here is a minimal script to reproduce the error:

const script = `
const util = require('util');
const EventEmitter = require('events');

function MyStream() {
  console.log("This is sha1");
}

util.inherits(MyStream, EventEmitter);
`;

const vmScript = new VMScript(script);
const vm = new NodeVM({
console: 'inherit',
require: {
  builtin: ['util', 'events'],
},
});
vm.run(vmScript);

Contributor guide

Tech stack
javascriptnodejs
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
needs maintainer response
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Node.js basicsvm2 package knowledge
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Investigate PR #540 that introduced the breaking change. Check the code in lib/setup sandbox.js line 561 to understand the error. Determine if the change is intended for security reasons and if so, find a way to allow inherits usage while maintaining security. Consider alternatives like patching the inherits function.