Hahaha! Your reply is almost the same as I can expect. However, it is reasonable. The security issue can not be just ignored due to code check tool. I can try to use "overrides" of NPM to upgrade vm2 directly. Maybe we could upgrade to Jsreport V3 as well later.
Thank you! Have a nice day! @jan_blaha
J