GHSA-cp6g-6699-wx9c: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

vm2's NodeVM sandbox has a critical flaw where path validation uses `path.resolve()` (which doesn't follow symlinks, or follow shortcuts to other folders) but actual module loading uses Node's native `require()` (which does). An attacker can exploit this by creating symlinks inside the allowed root directory that point to restricted code outside it, bypassing sandbox restrictions and executing arbitrary code on the host system.