-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
esm: improve validation of resolved URLs #41446
esm: improve validation of resolved URLs #41446
Conversation
Review requested:
|
Windows test failures are due to a failed dependency install (unrelated to the change in this PR):
|
44fcfd3
to
ed970eb
Compare
So this has an effect of allowing sending any kind of object that can coerce to a string as the return value. I would prefer we didn't do this since it would make future changes to the API hard since virtually everything converts to a string. |
How would adding |
@JakobJingleheimer I'd agree it must turn into a URL compatible string, but anything could be that. For example a Buffer can do that. And I don't want a Buffer/SharedArrayBuffer to be able to do that. |
Would my proposal to restore the |
sure, checking both seems fine. I'm trying to think of cases where people would even want to return a non-URL?? Can't think of any off the top of my head so it seems fine |
They're currently required to return a url, no? |
@JakobJingleheimer yes, it currently is supposed to check for a stringified URL as a return |
@guybedford any thoughts, concerns, or objections? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems good to me, down to performance questions.
Landed in dbc6e39 |
PR-URL: #41446 Reviewed-By: Bradley Farias <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Guy Bedford <[email protected]>
PR-URL: nodejs#41446 Reviewed-By: Bradley Farias <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Guy Bedford <[email protected]>
PR-URL: #41446 Reviewed-By: Bradley Farias <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Guy Bedford <[email protected]>
PR-URL: #41446 Reviewed-By: Bradley Farias <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Guy Bedford <[email protected]>
Some ESM internals use type coercion on URL instances to get the href of the URL (ex
`${url}`
). This can result in'undefined'
, which bypasses the current simple "is a string" validation. When that is bypassed, the resulting thrown error is a red herring, pointing to completely unrelated code.Rather than merely switching those internals to use less errant alternatives, I think it's better to improve validation.
cc @nodejs/loaders @nodejs/modules