Formio-Enterprise 9.0.0 and PDF 5.5.2 Release Notes Thumbnail

We are pleased to announce the release of Formio-Enterprise version 9.0.0 containing the following changes: 

  • Critical CVE resolved with dependency library VM2 via the replacement of VM2 with Isolated VM 
  • New Submission Data Processing / Validation system implemented
  • Formio-Enterprise updated to Node 20 

Please see important notes, technical details and breaking changes regarding this release and how it pertains to our self-hosted customers: 

Upgrade Notes: 

While there are several major changes with the 9.0.0 release, one of the primary goals for this release is to maintain an easy upgrade path from 8.x versions. There are several important points that have been implemented with the 9.0.0 release to ensure that the migration from 8.0.0 is a quick and easy transition. Please see documentation here about the Upgrade path from 8.x to 9.0.0. 

In 9.0.0, there are no database upgrade scripts or schema changes

With the 9.0.0 release, there are no schema changes or upgrade scripts that will be performed on deployments during an upgrade from 8.x to 9.0.0

In 9.0.0, there are no major Developer Portal, Formio.js Renderer, or Form Builder changes

We encourage the upgrade to 9.0.0 to take advantage of the security enhancements and CVE resolutions as soon as possible. To enable an easy upgrade path, the first 9.0.0 version contains only the necessary upgrades to dependencies and libraries, and is without any major changes to the Developer Portal Application, Formio.js Renderer, or Form Builder since 8.x.

Details on Changes in 9.0.0

Most of the changes for 9.0.0 pertain to security updates, performance improvements, major library dependency and runtime upgrades. The following is a detailed list of all major changes that have been made for the 9.0.0 release:

VM2 replaced with Isolated-VM

One of the instigating motivations to releasing a new major version was the recent deprecation of the heavily depended on library VM2. VM2 was relied upon for proper sandbox execution of any server-side JavaScript evaluations that would occur within a number of Form features. The following server-side evaluations were previously executed within the VM2 runtime: 

  • Form Component:  Calculated Values w/ “Calculate on Server” enabled
  • Form Component:  Custom Default Values
  • Form Component:  Advanced Logic w/ Custom triggers or actions
  • Form Component:  Custom Conditionals
  • Form Component:  Custom Validations
  • Form Component:  Select Available Items Validation
  • Form Actions: Email Action template rendering
  • Form Actions: Save Submission Transform
  • Form Actions: Custom Action Conditions
  • Form Actions: Webhook Action Transforms
  • Project Settings: Token Parse
  • Project Settings: Form Module

Each of these systems rely on a secure JavaScript evaluation context to securely execute javascript within a sandboxed environment. Due to VM2 being deprecated, Isolated VM was selected to replace this library:  

The replacement of VM2 with Isolated VM required a refactor of the Server Side data processing system. Previously, the Javascript renderer, Formio.js, was leveraged as the mechanism to perform this validation within VM2, but this was no longer viable considering the level of protection surrounding evaluation contexts within Isolated VM.  

Therefore a new Submission Data Processing system was developed, which was released under the @formio/core library. The code behind this new system is Open Source and can be found @

Certain form and component instance methods are simulated in the new server side evaluation context, whereas certain methods have been disabled. Please see here for details on these methods. Should you require any of these methods specifically on the server side for submission processing, please contact with a use case and details for request for any “no-op” methods to be introduced in 9.x. 

New server validation runtime

Along with the new data processing system is a new validation runtime for every submission that is processed on the server. This system has been refactored to no longer use the full “formiojs” renderer on the server, but instead use a more dedicated data processing system provided by our core validation engine found @  We believe this change will improve performance as well as memory allocation when new submissions are sent to the server.

This validation system has consequently resolved several issues with custom validations in 8.x and it is possible that forms may have custom validations that did not execute in 8.x that now will execute as expected. This fix has the potential to cause forms that previously successfully submitted to not to submit in 9.x. 

Reverse compatibility is a top priority for this release. It is also imperative to thoroughly test form submission and data validations to ensure the validation processing works as expected before deploying 9.0.0 into a production environment.

Upgrade to Node v20

As part of the upgrade for dependencies and data processing, we are also moving to use the Node v20 runtime within the Docker containers that run our Enterprise deployments. Node v20 includes several performance and security improvements, which can be found in their release notes found @

Breaking Changes

  • Buttons now show up in submission object JSON

We are pleased to announce the release of Formio-Enterprise 9.0.0 and PDF Server 5.5.2 on

To track specific tickets within, please reference the:

Enterprise Change Log
Get Answers

Need More Answers?

Ask and we'll get back with you in 1 business day.

Contact Us

Send us a message to contact support or ask a question.

Schedule a meeting

Open Source Platform

Read our FAQ to find out what exactly is Open Source

View the Platform Documentation

View the API Documentation

View the Open Source Code

Learn More

Learn How It Works

Read the Release Notes

Discover Industries that use

Read our Blog