import-in-the-middle 1.7.3 → 1.7.4

package/fix.patch

@@ -0,0 +1,52 @@
+From 5a9ae09d53e43a30709c7162fb351f3a57626f79 Mon Sep 17 00:00:00 2001
+From: Bryan English <bryan.english@datadoghq.com>
+Date: Fri, 21 Jul 2023 11:50:34 -0400
+Subject: [PATCH] sanitize URLs
+
+---
+ hook.js                          |  4 ++--
+ test/low-level/sanitized-url.mjs | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 test/low-level/sanitized-url.mjs
+
+diff --git a/hook.js b/hook.js
+index 884ee3a..3639fbf 100644
+--- a/hook.js
++++ b/hook.js
+@@ -122,7 +122,7 @@ function createHook (meta) {
+       return {
+         source: `
+ import { register } from '${iitmURL}'
+-import * as namespace from '${url}'
++import * as namespace from ${JSON.stringify(url)}
+ const set = {}
+ ${exportNames.map((n) => `
+ let $${n} = namespace.${n}
+@@ -132,7 +132,7 @@ set.${n} = (v) => {
+   return true
+ }
+ `).join('\n')}
+-register('${realUrl}', namespace, set, '${specifiers.get(realUrl)}')
++register(${JSON.stringify(realUrl)}, namespace, set, ${JSON.stringify(specifiers.get(realUrl))})
+ `
+       }
+     }
+diff --git a/test/low-level/sanitized-url.mjs b/test/low-level/sanitized-url.mjs
+new file mode 100644
+index 0000000..6fe5e81
+--- /dev/null
++++ b/test/low-level/sanitized-url.mjs
+@@ -0,0 +1,11 @@
++// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2.0 License.
++//
++// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
++
++import { addHook } from '../../index.js'
++
++addHook(() => {})
++
++;(async () => {
++  await import("../fixtures/something.mjs#*/'/*';eval('process.exit\x281\x29\x0A')")
++})()
+-- 
+2.39.0

package/hook.js

@@ -303,7 +303,8 @@ import { register } from '${iitmURL}'
 ${imports.join('\n')}
 
 const namespaces = [${namespaces.join(', ')}]
-const _ = {}
+// Mimic a Module object (https://tc39.es/ecma262/#sec-module-namespace-objects).
+const _ = Object.create(null, { [Symbol.toStringTag]: { value: 'Module' } })
 const set = {}
 
 const primary = namespaces.shift()

package/lib/get-esm-exports.js

@@ -1,7 +1,7 @@
 'use strict'
 
 const { Parser } = require('acorn')
-const { importAssertions } = require('acorn-import-assertions')
+const { importAssertions } = require('acorn-import-attributes')
 
 const acornOpts = {
   ecmaVersion: 'latest',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "import-in-the-middle",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "Intercept imports in Node.js",
   "main": "index.js",
   "scripts": {
@@ -50,7 +50,7 @@
   },
   "dependencies": {
     "acorn": "^8.8.2",
-    "acorn-import-assertions": "^1.9.0",
+    "acorn-import-attributes": "^1.9.5",
     "cjs-module-lexer": "^1.2.2",
     "module-details-from-path": "^1.0.3"
   }

package/test/hook/module-toStringTag.mjs

@@ -0,0 +1,25 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2.0 License.
+//
+// This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
+
+import Hook from '../../index.js'
+import { foo as fooMjs } from '../fixtures/something.mjs'
+import { foo as fooJs } from '../fixtures/something.js'
+import { strictEqual, deepStrictEqual } from 'assert'
+
+let hookedExports
+
+Hook((exports, name) => {
+  hookedExports = exports
+})
+
+strictEqual(fooMjs, 42)
+strictEqual(fooJs, 42)
+
+strictEqual(hookedExports[Symbol.toStringTag], 'Module')
+deepStrictEqual(Object.getOwnPropertyDescriptor(hookedExports, Symbol.toStringTag), {
+  value: 'Module',
+  enumerable: false,
+  writable: false,
+  configurable: false
+})