Merge pull request #14974 from Borewit/prevent-wrapping-javascript-in-eval

refactor(common): Prevent JavaScript being wrapped in `eval`

Author: kamilmysliwiec

package-lock.json

@@ -69,6 +69,7 @@
     "fast-safe-stringify": "2.1.1",
     "file-type": "20.4.1",
     "iterare": "1.2.1",
+    "load-esm": "^1.0.2",
     "object-hash": "3.0.0",
     "path-to-regexp": "8.2.0",
     "reflect-metadata": "0.2.2",

package.json

@@ -1,5 +1,6 @@
 import { FileValidator } from './file-validator.interface';
 import { IFile } from './interfaces';
+import { loadEsm } from 'load-esm';
 
 export type FileTypeValidatorOptions = {
   fileType: string | RegExp;
@@ -50,9 +51,8 @@ export class FileTypeValidator extends FileValidator<
     }
 
     try {
-      const { fileTypeFromBuffer } = (await eval(
-        'import ("file-type")',
-      )) as typeof import('file-type');
+      const { fileTypeFromBuffer } =
+        await loadEsm<typeof import('file-type')>('file-type');
 
       const fileType = await fileTypeFromBuffer(file.buffer);