esm: protect ESM loader from prototype pollution
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to Array.prototype pollution. This commit fixes that, the tradeoff is that it modifies the ESMLoader.prototype.import return type from an Array to an array-like object.
FWIW I don't expect changing the return type of ESMLoader.prototype.import to have any kind of unforeseen consequences, and I don't think it's exposed to user land in any way. //cc @nodejs/loaders