Getting served a corrupted fileΒ #1189
Description
Feel free to close this as "can't reproduce", since I'm sure it's going to be impossible to reproduce it. But, I'm currently being served a corrupted file at an esm.sh URL, and it's persistent so I suspect it's living that way in a cache somewhere.
The real file:
curl 'https://esm.sh/date-fns?dev' 2>&1 | head -n 20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
/* esm.sh - [email protected] */
import "/[email protected]/es2022/add.development.mjs";
import "/[email protected]/es2022/addBusinessDays.development.mjs";
import "/[email protected]/es2022/addDays.development.mjs";
import "/[email protected]/es2022/addHours.development.mjs";
import "/[email protected]/es2022/addISOWeekYears.development.mjs";
import "/[email protected]/es2022/addMilliseconds.development.mjs";
import "/[email protected]/es2022/addMinutes.development.mjs";
import "/[email protected]/es2022/addMonths.development.mjs";
import "/[email protected]/es2022/addQuarters.development.mjs";
import "/[email protected]/es2022/addSeconds.development.mjs";
import "/[email protected]/es2022/addWeeks.development.mjs";
import "/[email protected]/es2022/addYears.development.mjs";
import "/[email protected]/es2022/areIntervalsOverlapping.development.mjs";
import "/[email protected]/es2022/clamp.development.mjs";
import "/[email protected]/es2022/closestIndexTo.development.mjs";
import "/[email protected]/es2022/closestTo.development.mjs";
import "/[email protected]/es2022/compareAsc.development.mjs";
The dubious file:
$ curl 'https://esm.sh/date-fns?dev' -H 'origin: file://' 2>&1 | head -n 20
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
/* esm.sh - [email protected] */
export * from "/[email protected]/es2022/react.mjs";
export { default } from "/[email protected]/es2022/react.mjs";
t "/scheduler@^0.26.0?target=es2022";
export * from "/[email protected]/es2022/client.mjs";
export { default } from "/[email protected]/es2022/client.mjs";
s2022/addISOWeekYears.development.mjs";
import "/[email protected]/es2022/addMilliseconds.development.mjs";
import "/[email protected]/es2022/addMinutes.development.mjs";
import "/[email protected]/es2022/addMonths.development.mjs";
import "/[email protected]/es2022/addQuarters.development.mjs";
import "/[email protected]/es2022/addSeconds.development.mjs";
import "/[email protected]/es2022/addWeeks.development.mjs";
import "/[email protected]/es2022/addYears.development.mjs";
import "/[email protected]/es2022/areIntervalsOverlapping.development.mjs";
import "/[email protected]/es2022/clamp.development.mjs";
import "/[email protected]/es2022/closestIndexTo.development.mjs";
import "/[email protected]/es2022/closestTo.development.mjs";
(EDIT: I added a couple of newlines separating the cURL progress output from the file contents, not present in the original, just for clarity.)
I assume the origin is not actually relevant to triggering whatever bug caused the file corruption; rather I expect you're using it as a cache key, and I'm probably the only person screwing around with pulling these specific objects with a file:// origin at 1AM, so I suspect I have this cached object all to myself right now.
The contents appear to have been produced as follows:
- Write the correct file somewhere.
- Write over the beginning of the file with the contents of https://esm.sh/react-dom/client .
- Then write over the beginning of the file again, with the contents of https://esm.sh/react .
I had been thinking that these were all files I was requesting around the same time, but on further inspection I see that the overwriting bytes came from the prod versions of those modules, whereas I believe I would only be querying for the ?dev versions, so I'm not sure about that part.