[Bug]: interopRequireWildcard can trigger override mistake

[mhofman]

💻

• Would you like to work on a fix?

How are you using Babel?

Other (Next.js, Gatsby, vue-cli, ...)

Input code

import '@endo/init'
import chalk, { Chalk as ChalkClass } from "chalk@2.4.2";

REPL

Configuration file name

No response

Configuration

No response

Current and expected behavior

When copying props of module.exports to newObj, interopRequireWildcard may use a simple assignment =, which may trigger the override mistake for exported properties also present in Object.prototype if Object.prototype had previously been frozen.

In this case the chalk package used by @babel/code-frame and @babel/highlights in the latest 7.22.20 version of babel triggers this issue with its constructor export.

Environment

System:
OS: Linux 5.10 Debian GNU/Linux 11 (bullseye) 11 (bullseye)
Binaries:
Node: 18.17.0 - /usr/local/bin/node
Yarn: 1.22.5 - /usr/local/bin/yarn
npm: 9.8.1 - /usr/local/bin/npm
pnpm: 8.6.11 - /usr/local/share/npm-global/bin/pnpm
Monorepos:
Yarn Workspaces: 1.22.5
npmPackages:
eslint: ^8.36.0 => 8.50.0

Possible solution

In this case there may be different alternatives to avoid triggering the override mistake:

• make newObj with a null proto
• Use Object.defineProperty in all cases (not just for accessors)

Additional context

@nicolo-ribaudo will know the context :)

[babel-bot]

Hey @mhofman! We really appreciate you taking the time to report an issue. The collaborators on this project attempt to help as many people as possible, but we're a limited number of volunteers, so it's possible this won't be addressed swiftly.

If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack community that typically always has someone willing to help. You can sign-up here for an invite.

[nicolo-ribaudo]

For context, the "override mistake" in this case is that if you freeze Object.prototype than you cannot do newObject["hasOwnProperty"] = 7 because, even if it would install the property on newObject and not on Object.prototype, that property has a writable: false descriptor.

Let's make newObject an object with __proto__: null, since that's how namespace imports should work in the first place.

[mhofman]

@nicolo-ribaudo thanks for implementing a fix for this issue. However as mentioned, the code triggering the override mistake was also published in @babel/code-frame and @babel/highlights v7.22.13, and while the v7.23.2 included the fix in @babel/helpers, the compiled code of the helpers in the above packages is still present in their latest version because no new versions of these packages were published for that release. Is there any way babel could have a minor version bump of the @babel/code-frame and @babel/highlights packages in the next v7 release?