We are pleased to announce the release of Formio-Enterprise version 9.0.0 containing the following changes:
- Critical CVE resolved with dependency library VM2 via the replacement of VM2 with Isolated VM
- New Submission Data Processing / Validation system implemented
- Formio-Enterprise updated to Node 20
Please see important notes, technical details and breaking changes regarding this release and how it pertains to our self-hosted customers:
Upgrade Notes:
While there are several major changes with the 9.0.0 release, one of the primary goals for this release is to maintain an easy upgrade path from 8.x versions. There are several important points that have been implemented with the 9.0.0 release to ensure that the migration from 8.0.0 is a quick and easy transition. Please see documentation here about the Upgrade path from 8.x to 9.0.0.
In 9.0.0, there are no database upgrade scripts or schema changes
With the 9.0.0 release, there are no schema changes or upgrade scripts that will be performed on deployments during an upgrade from 8.x to 9.0.0
In 9.0.0, there are no major Developer Portal, Formio.js Renderer, or Form Builder changes
We encourage the upgrade to 9.0.0 to take advantage of the security enhancements and CVE resolutions as soon as possible. To enable an easy upgrade path, the first 9.0.0 version contains only the necessary upgrades to dependencies and libraries, and is without any major changes to the Developer Portal Application, Formio.js Renderer, or Form Builder since 8.x.
Details on Changes in 9.0.0
Most of the changes for 9.0.0 pertain to security updates, performance improvements, major library dependency and runtime upgrades. The following is a detailed list of all major changes that have been made for the 9.0.0 release:
VM2 replaced with Isolated-VM
One of the instigating motivations to releasing a new major version was the recent deprecation of the heavily depended on library VM2. https://github.com/patriksimek/vm2. VM2 was relied upon for proper sandbox execution of any server-side JavaScript evaluations that would occur within a number of Form features. The following server-side evaluations were previously executed within the VM2 runtime:
- Form Component: Calculated Values w/ “Calculate on Server” enabled
- Form Component: Custom Default Values
- Form Component: Advanced Logic w/ Custom triggers or actions
- Form Component: Custom Conditionals
- Form Component: Custom Validations
- Form Component: Select Available Items Validation
- Form Actions: Email Action template rendering
- Form Actions: Save Submission Transform
- Form Actions: Custom Action Conditions
- Form Actions: Webhook Action Transforms
- Project Settings: Token Parse
- Project Settings: Form Module
Each of these systems rely on a secure JavaScript evaluation context to securely execute javascript within a sandboxed environment. Due to VM2 being deprecated, Isolated VM was selected to replace this library: https://github.com/laverdet/isolated-vm.
The replacement of VM2 with Isolated VM required a refactor of the Form.io Server Side data processing system. Previously, the Javascript renderer, Formio.js, was leveraged as the mechanism to perform this validation within VM2, but this was no longer viable considering the level of protection surrounding evaluation contexts within Isolated VM.
Therefore a new Submission Data Processing system was developed, which was released under the @formio/core library. The code behind this new system is Open Source and can be found @ https://github.com/formio/core/tree/master/src/process
Certain form and component instance methods are simulated in the new server side evaluation context, whereas certain methods have been disabled. Please see here for details on these methods. Should you require any of these methods specifically on the server side for submission processing, please contact support@form.io with a use case and details for request for any “no-op” methods to be introduced in 9.x.
New server validation runtime
Along with the new data processing system is a new validation runtime for every submission that is processed on the server. This system has been refactored to no longer use the full “formiojs” renderer on the server, but instead use a more dedicated data processing system provided by our core validation engine found @ https://github.com/formio/core/tree/master/src/process/validation. We believe this change will improve performance as well as memory allocation when new submissions are sent to the server.
This validation system has consequently resolved several issues with custom validations in 8.x and it is possible that forms may have custom validations that did not execute in 8.x that now will execute as expected. This fix has the potential to cause forms that previously successfully submitted to not to submit in 9.x.
Reverse compatibility is a top priority for this release. It is also imperative to thoroughly test form submission and data validations to ensure the validation processing works as expected before deploying 9.0.0 into a production environment.
Upgrade to Node v20
As part of the upgrade for dependencies and data processing, we are also moving to use the Node v20 runtime within the Docker containers that run our Enterprise deployments. Node v20 includes several performance and security improvements, which can be found in their release notes found @ https://nodejs.org/en/blog/announcements/v20-release-announce.
Breaking Changes
- Buttons now show up in submission object JSON