Abnormal module resolution for github: dependencies

[FurryR]

Steps to reproduce

1. Create a npm package (named A) and upload it to GitHub.
2. Create another npm package (named B) and upload it to GitHub.
3. In the package.json of B, specify A as a dependency via github:UserName/A.git.
4. Use esm.sh to load B.

Expected behavior

Things works just fine.

Actual behavior

The behavior here is a little funny.

If there is a same npm package named A on registry.npmjs.org: The resolver uses the one on registry.npmjs.org.
If there is no same npm package named A on registry.npmjs.org: The resolver silently fails.

This may lead to dependency pollution attack.

[FurryR]

Example
Example GitHub repository A
Example GitHub repository B

[ije]

the dev branch works fine: https://next.esm.sh/gh/TurbowarpESM/scratch-svg-renderer@79d8743553

[FurryR]

the dev branch works fine: https://next.esm.sh/gh/TurbowarpESM/scratch-svg-renderer@79d8743553

more example: https://esm.sh/gh/TurbowarpESM/scratch-render

Is it caused by cache? I feel confused.

[ije]

it's not deployed to the main yet

[FurryR]

it's not deployed to the main yet

Thank you so much for still replying my weird technical issues.

There's an exception when I try to import the library scratch-render, the message of the Error thrown by require is module "/v135/gh/TurbowarpESM/scratch-svg-renderer.git@develop" not found. It seems that the bundler generated a require call with an incorrect argument /v135/gh/TurbowarpESM/scratch-svg-renderer.git@develop while it was supposed to be scratch-svg-renderer. Therefore, the dependency resolver was unable to track this dependency via require calls (as the dependency with such name didnt exist).

The issue of the previously mentioned libraries (A and B) disappeared in the link you provided for unknown reasons. Importing B now works fine but I have no clue on how it fixed.