chore(dev-deps): update vm2 to 3.10.4 to fix CVE-2026-22709

[Copilot]

vm2 3.10.0 has a critical sandbox escape via unsanitized Promise callbacks (CVE-2026-22709, CVSS 9.8).

• Bumped vm2 devDependency from ^3.9.18 → ^3.10.4 (lockfile was pinned to vulnerable 3.10.0)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Security Vulnerability in your devDependencies (vm2)</issue_title>
<issue_description>Security Vulnerability Alert for the verson of vm2 found in your devDependencies:

On 25 Jan 26, a GitHub project maintainer shared a critical flaw found in vm2, a popular NodeJS sandbox library.1 The vulnerability, tracked as CVE-2026-22709 (CVSS v3.1 score 9.8), arises from vm2’s failure to properly sandbox ‘Promises,’ the callback sanitization component that handles asynchronous operations, and could allow an attacker to escape the sandbox and run untrusted JavaScript code.2
(U) CVE-2026-22709 affects vm2 version 3.10.0, and has been fixed in versions 3.10.1, 3.10.2, and 3.10.3. Users are recommended to update to version 3.10.3, as it contains a more secure patch to avoid a potential bypass. As of 30 Jan 26, there is no evidence of active exploitation.

Please fix this.</issue_description>

<agent_instructions>Update vm2 dependency to the latest version and make sure tests are passing.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Security Vulnerability in your devDependencies (vm2) #565

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vm2@​3.10.0 ⏵ 3.10.4	-1	+75	+1	+3

View full report

[github-actions]

🎉 This PR is included in version 1.4.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀