Symfony version(s) affected

6.4 and upward

Description

The package @progress/kendo-ui imports jQuery as jQuery$1 (url https://cdn.jsdelivr.net/npm/@progress/[email protected]/+esm )

This breaks the regex at https://github.com/symfony/asset-mapper/blob/7.1/ImportMap/Resolver/JsDelivrEsmResolver.php#L31

How to reproduce

Try to require any package where the import statement uses a valid javascript variable name (any char, number class plus $, _) that doesn't match the regex \w. as an example, @progress/kendo-ui which requires jsQuery using the variable name jQuery$1

Possible Solution

The regex could be rewritten to '#(?:import\s*(?:[\w\$\d]+,)?(?:(?:\{[^}]*\}|[\w\$\d]+|\*\s*as\s+\w+)\s*\bfrom\s*)?|export\s*(?:\{[^}]*\}|\*)\s*from\s*)("/npm/((?:@[^/]+/)?[^@]+?)(?:@([^/]+))?((?:/[^/]+)*?)/\+esm")#' to capture $, but this is still fraught with danger as javascript variable names may include Unicode surprises.

Additional Context

Additionally, if the content is very large, there may be pcre.backtrack_limit errors. (trying to replace the [\w\$\d] references with [^\s] references would lead to NULL results in preg_replace_callback due to backtrack errors in the regex.)

This feature may need to be completely rewritten to avoid regular expressions.