search

esm-dev / esm.sh

A fast, smart, & global CDN for modern(es2015+) web development.
https://esm.sh
MIT License
3.04k stars 146 forks source link

Whitelisting broken? - Failed to import - @sentry/astro #858

Open Johannes-Andersen opened 1 month ago

Johannes-Andersen commented 1 month ago

Failing module

import Sentry from "https://www.vg.no/esm/@sentry/astro@8.20.0?target=es2020"

Error message

Package import: https://www.vg.no/esm/@sentry/astro@8.20.0?target=es2020

Resolves this:

/* esm.sh - @sentry/astro@8.20.0 */
import "/esm/esm/v135/@sentry/browser@8.20.0/es2020/browser.mjs";
import "/esm/esm/v135/@sentry/core@8.20.0/es2020/core.mjs";
export * from "/esm/v135/@sentry/astro@8.20.0/es2020/astro.mjs";

When the browser then tries to resolve those URLS, it fails (those with esm/esm)

Responds with 403 forbidden: https://www.vg.no/esm/esm/v135/@sentry/browser@8.20.0/es2020/browser.mjs

Allow list is:

Screenshot 2024-07-26 at 17 37 03

Is this check failing due to not extracting the package name/scope correctly? Only happens for URLs that has the double esm/esm https://github.com/esm-dev/esm.sh/blob/72fb460530047e34fa5509b98b3f166732bfa53c/server/router.go#L565

Additional info

ije commented 1 month ago

do you set basepath to esm/esm?

Johannes-Andersen commented 1 month ago

do you set basepath to esm/esm?

No, just /esm/ :)

Screenshot 2024-07-26 at 18 59 51

For example these work: https://www.vg.no/esm/stable/react@18.3.1/es2020/react.mjs https://www.vg.no/esm/stable/react@18.3.1/es2020/jsx-runtime.js https://www.vg.no/esm/v133/@schibsted/data-controller@4.0.1/es2020/data-controller.mjs https://www.vg.no/esm/v133/@schibsted/data-controller@4.0.1

ije commented 1 month ago

i see, thanks! i will look into it