Script execution with imported library throws error "Error invoking remote method 'send-http-request': VMError: Native modules can be required only with context set to 'host'."

[shawtux]

I have checked the following:

• [X] I use the newest version of bruno.
• [X] I've searched existing issues and found nothing related to my issue.

Describe the bug

When trying to use an external lib to parse xml to json, I get the following error:

Error invoking remote method 'send-http-request': VMError: Native modules can be required only with context set to 'host'.

console.log(`Node version: ${process.version}`);
console.log(process.versions);
try {
const { xml2js } = require('xml2js');
}
 catch (error) {
  console.log(error.stack);
  throw error;
}

note: xml2js needs events and timer libs to be also installed for reference or

console.log(`Node version: ${process.version}`);
console.log(process.versions);
try {
const { xml2json} = require('xml2json');
}
 catch (error) {
  console.log(error.stack);
  throw error;
}

It doesnt matter the .bru i use, they all fail the same.

Stacktrace in developer window (changed the path to the collection (D:\Development\Bruno\xxxxx WS\xxxxx WS\node_modules)

VMError: Native modules can be required only with context set to 'host'.
    at CustomResolver.loadNode (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver.js:219:9)
    at CustomResolver.loadNode (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver-compat.js:69:67)
    at C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver.js:84:14
    at VM2 Wrapper.apply (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/bridge.js:485:11)
    at Module._extensions.<computed> (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/setup-node-sandbox.js:150:48)
    at requireImpl (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/setup-node-sandbox.js:123:3)
    at require (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/setup-node-sandbox.js:171:10)
    at bindings (D:\Development\Bruno\xxxxx WS\xxxxx WS\node_modules\bindings\bindings.js:112:48)
    at D:\Development\Bruno\xxxxx WS\xxxxx WS\node_modules\node-expat\lib\node-expat.js:4:34
    at VM2 Wrapper.apply (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\bridge.js:485:11)
    at NodeVM.run (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\nodevm.js:497:23)
    at CustomResolver.loadJS (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver.js:210:6)
    at CustomResolver.loadJS (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver-compat.js:63:65)
    at C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib\resolver.js:84:14
    at VM2 Wrapper.apply (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/bridge.js:485:11)
    at Module._extensions.<computed> (C:\Users\marcos\AppData\Local\Programs\bruno\resources\app.asar\node_modules\@usebruno\vm2\lib/setup-node-sandbox.js:150:48)

package.json

{
  "dependencies": {
    "xml2js": "^0.6.2",
    "xml2json": "^0.12.0"
  },
  "name": "xxxxxx-ws",
  "version": "1.0.0",
  "main": "index.js",
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": ""
}

bruno.json

{
  "version": "1",
  "name": "xxxxxx WS",
  "type": "collection",
  "private": true,
  "scripts": {
    "moduleWhitelist": ["xml2js","xml2json"],
    "filesystemAccess": {
      "allow": true
    }
  }
}

.bru file to reproduce the bug

No response

Screenshots/Live demo link

[cdaringe]

I'd really like an insecure mode or something that bypasses the VM sandboxing. The sandboxing, while a great default, cripples our ability to do interesting stuff in req/response middlewares (pre/post) in node.js. I have a goofy build system to try and minimize node modules, but even so, my compiled scripts still make references to node:* imports, which don't work gracefully at with VMScripts.

import * as stream from 'node:stream`
import * as webStream from 'node:stream/web`

...even allow listed cause problemos.

Would the team be willing to offer an insecure mode that is support-warranty voiding?