GHSA-947f-4v7f-x2v8: vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape

vm2's builtin allowlist (a list controlling which Node.js built-in modules sandboxed code can access) can be bypassed when the `module` builtin is allowed, including through the wildcard pattern `'*'`. The `module` builtin exposes Node's `Module._load()` function, which loads any module directly in the host context (the main system, not the sandbox), completely bypassing vm2's restrictions and allowing attackers to load forbidden modules like `child_process` and execute arbitrary commands on the host system.