refactor(common): Prevent JavaScript wrapping in eval

Replace wrapping dynamic import of ESM module in `eval` with load-esm.
2026-02-21 23:11:44 +00:00 · 2025-04-15 19:15:47 +02:00
parent a6bdfd16f4
commit 1e43fcb6d3
3 changed files with 24 additions and 3 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -20,6 +20,7 @@
        "fast-safe-stringify": "2.1.1",
        "file-type": "20.4.1",
        "iterare": "1.2.1",
+        "load-esm": "^1.0.2",
        "object-hash": "3.0.0",
        "path-to-regexp": "8.2.0",
        "reflect-metadata": "0.2.2",
@@ -26929,6 +26930,25 @@
        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
      }
    },
+    "node_modules/load-esm": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/load-esm/-/load-esm-1.0.2.tgz",
+      "integrity": "sha512-nVAvWk/jeyrWyXEAs84mpQCYccxRqgKY4OznLuJhJCa0XsPSfdOIr2zvBZEj3IHEHbX97jjscKRRV539bW0Gpw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/Borewit"
+        },
+        {
+          "type": "buymeacoffee",
+          "url": "https://buymeacoffee.com/borewit"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=13.2.0"
+      }
+    },
    "node_modules/load-json-file": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-4.0.0.tgz",
--- a/package.json
+++ b/package.json
@@ -69,6 +69,7 @@
    "fast-safe-stringify": "2.1.1",
    "file-type": "20.4.1",
    "iterare": "1.2.1",
+    "load-esm": "^1.0.2",
    "object-hash": "3.0.0",
    "path-to-regexp": "8.2.0",
    "reflect-metadata": "0.2.2",
--- a/packages/common/pipes/file/file-type.validator.ts
+++ b/packages/common/pipes/file/file-type.validator.ts
@@ -1,5 +1,6 @@
 import { FileValidator } from './file-validator.interface';
 import { IFile } from './interfaces';
+import { loadEsm } from 'load-esm';

 export type FileTypeValidatorOptions = {
  fileType: string | RegExp;
@@ -50,9 +51,8 @@ export class FileTypeValidator extends FileValidator<
    }

    try {
-      const { fileTypeFromBuffer } = (await eval(
-        'import ("file-type")',
-      )) as typeof import('file-type');
+      const { fileTypeFromBuffer } =
+        await loadEsm<typeof import('file-type')>('file-type');

      const fileType = await fileTypeFromBuffer(file.buffer);