esm: protect ESM loader from prototype pollution
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to Array.prototype
pollution. This commit fixes that, the tradeoff is that it modifies the ESMLoader.prototype.import
return type from an Array
to an array-like object.
FWIW I don't expect changing the return type of ESMLoader.prototype.import
to have any kind of unforeseen consequences, and I don't think it's exposed to user land in any way. //cc @nodejs/loaders