Adds checks for URL schemes

arcanis · arcanis · commit 1b2ad80c0729 · 2026-03-18T10:32:04.000+01:00
diff --git a/lib/internal/modules/package_map.js b/lib/internal/modules/package_map.js
@@ -3,6 +3,7 @@
 const {
   JSONParse,
   ObjectEntries,
+  RegExpPrototypeExec,
   SafeMap,
   StringPrototypeIndexOf,
   StringPrototypeSlice,
@@ -11,6 +12,7 @@ const {
 const assert = require('internal/assert');
 const { getLazy } = require('internal/util');
 const { resolve: pathResolve, dirname } = require('path');
+const { fileURLToPath } = require('internal/url');
 
 const getPackageMapPath = getLazy(() =>
   require('internal/options').getOptionValue('--experimental-package-map'),
@@ -23,6 +25,8 @@ const {
   ERR_PACKAGE_MAP_KEY_NOT_FOUND,
 } = require('internal/errors').codes;
 
+const PROTOCOL_REGEXP = /^[a-zA-Z][a-zA-Z0-9+\-.]*:\/\//;
+
 // Singleton - initialized once on first call
 let packageMap;
 let packageMapPath;
@@ -73,7 +77,21 @@ class PackageMap {
         throw new ERR_PACKAGE_MAP_INVALID(this.#configPath, `package "${key}" is missing "path" field`);
       }
 
-      const absolutePath = pathResolve(this.#basePath, entry.path);
+      // Check for URL schemes in path
+      const urlSchemeMatch = RegExpPrototypeExec(PROTOCOL_REGEXP, entry.path);
+      let resolvedPath = entry.path;
+      if (urlSchemeMatch !== null) {
+        if (urlSchemeMatch[0] === 'file://') {
+          resolvedPath = fileURLToPath(entry.path);
+        } else {
+          throw new ERR_PACKAGE_MAP_INVALID(
+            this.#configPath,
+            `package "${key}" has unsupported URL scheme in path "${entry.path}"; only file:// URLs and plain paths are currently supported`,
+          );
+        }
+      }
+
+      const absolutePath = pathResolve(this.#basePath, resolvedPath);
 
       this.#packages.set(key, {
         path: absolutePath,
diff --git a/test/es-module/test-esm-package-map.mjs b/test/es-module/test-esm-package-map.mjs
@@ -1,11 +1,31 @@
 import { spawnPromisified } from '../common/index.mjs';
 import * as fixtures from '../common/fixtures.mjs';
+import tmpdir from '../common/tmpdir.js';
 import assert from 'node:assert';
+import { writeFileSync } from 'node:fs';
 import { execPath } from 'node:process';
 import { describe, it } from 'node:test';
+import { pathToFileURL } from 'node:url';
+
+tmpdir.refresh();
 
 const packageMapPath = fixtures.path('package-map/package-map.json');
 
+// Generated at runtime because file:// URLs must be absolute, making them machine-dependent.
+const fileUrlFixturePath = tmpdir.resolve('package-map-file-url.json');
+writeFileSync(fileUrlFixturePath, JSON.stringify({
+  packages: {
+    root: {
+      path: pathToFileURL(fixtures.path('package-map/root')).href,
+      dependencies: { 'dep-a': 'dep-a' },
+    },
+    'dep-a': {
+      path: pathToFileURL(fixtures.path('package-map/dep-a')).href,
+      dependencies: {},
+    },
+  },
+}));
+
 describe('ESM: --experimental-package-map', () => {
 
   // =========== Basic Resolution ===========
@@ -130,6 +150,32 @@ describe('ESM: --experimental-package-map', () => {
       assert.match(stderr, /not found/);
     });
 
+    it('throws ERR_PACKAGE_MAP_INVALID for unsupported URL scheme in path', async () => {
+      const { code, stderr } = await spawnPromisified(execPath, [
+        '--experimental-package-map',
+        fixtures.path('package-map/package-map-https-path.json'),
+        '--input-type=module',
+        '--eval', `import x from 'dep-a';`,
+      ], { cwd: fixtures.path('package-map/root') });
+
+      assert.notStrictEqual(code, 0);
+      assert.match(stderr, /ERR_PACKAGE_MAP_INVALID/);
+      assert.match(stderr, /unsupported URL scheme/);
+      assert.match(stderr, /https:\/\//);
+    });
+
+    it('accepts file:// URLs in path', async () => {
+      const { code, stdout, stderr } = await spawnPromisified(execPath, [
+        '--experimental-package-map', fileUrlFixturePath,
+        '--input-type=module',
+        '--eval',
+        `import dep from 'dep-a'; console.log(dep);`,
+      ], { cwd: fixtures.path('package-map/root') });
+
+      assert.strictEqual(code, 0, stderr);
+      assert.match(stdout, /dep-a-value/);
+    });
+
     it('throws ERR_PACKAGE_MAP_INVALID for duplicate package paths', async () => {
       const { code, stderr } = await spawnPromisified(execPath, [
         '--experimental-package-map',
diff --git a/test/fixtures/package-map/package-map-https-path.json b/test/fixtures/package-map/package-map-https-path.json
@@ -0,0 +1,12 @@
+{
+  "packages": {
+    "root": {
+      "path": "./root",
+      "dependencies": {"dep-a": "dep-a"}
+    },
+    "dep-a": {
+      "path": "https://example.com/dep-a",
+      "dependencies": {}
+    }
+  }
+}
diff --git a/test/parallel/test-require-package-map.js b/test/parallel/test-require-package-map.js
@@ -4,10 +4,30 @@ require('../common');
 const fixtures = require('../common/fixtures');
 const assert = require('node:assert');
 const { spawnSync } = require('node:child_process');
+const { writeFileSync } = require('node:fs');
 const { describe, it } = require('node:test');
+const { pathToFileURL } = require('node:url');
+const tmpdir = require('../common/tmpdir');
+
+tmpdir.refresh();
 
 const packageMapPath = fixtures.path('package-map/package-map.json');
 
+// Generated at runtime because file:// URLs must be absolute, making them machine-dependent.
+const fileUrlFixturePath = tmpdir.resolve('package-map-file-url.json');
+writeFileSync(fileUrlFixturePath, JSON.stringify({
+  packages: {
+    root: {
+      path: pathToFileURL(fixtures.path('package-map/root')).href,
+      dependencies: { 'dep-a': 'dep-a' },
+    },
+    'dep-a': {
+      path: pathToFileURL(fixtures.path('package-map/dep-a')).href,
+      dependencies: {},
+    },
+  },
+}));
+
 describe('CJS: --experimental-package-map', () => {
 
   describe('basic resolution', () => {
@@ -115,6 +135,37 @@ describe('CJS: --experimental-package-map', () => {
       assert.match(stderr, /ERR_PACKAGE_MAP_INVALID/);
     });
 
+    it('throws for unsupported URL scheme in path', () => {
+      const { status, stderr } = spawnSync(process.execPath, [
+        '--experimental-package-map',
+        fixtures.path('package-map/package-map-https-path.json'),
+        '-e',
+        `require('dep-a');`,
+      ], {
+        cwd: fixtures.path('package-map/root'),
+        encoding: 'utf8',
+      });
+
+      assert.notStrictEqual(status, 0);
+      assert.match(stderr, /ERR_PACKAGE_MAP_INVALID/);
+      assert.match(stderr, /unsupported URL scheme/);
+      assert.match(stderr, /https:\/\//);
+    });
+
+    it('accepts file:// URLs in path', () => {
+      const { status, stdout, stderr } = spawnSync(process.execPath, [
+        '--experimental-package-map', fileUrlFixturePath,
+        '-e',
+        `const dep = require('dep-a'); console.log(dep.default);`,
+      ], {
+        cwd: fixtures.path('package-map/root'),
+        encoding: 'utf8',
+      });
+
+      assert.strictEqual(status, 0, stderr);
+      assert.match(stdout, /dep-a-value/);
+    });
+
     it('throws for duplicate package paths', () => {
       const { status, stderr } = spawnSync(process.execPath, [
         '--experimental-package-map',
