Skip to content

fix: use base64url encoding to prevent esbuild ?source= corruption #1648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: use base64url encoding to prevent esbuild ?source= corruption #1648

wants to merge 2 commits into from

Conversation

@sallustfire
Copy link

@sallustfire sallustfire commented Nov 9, 2025

Base64-encoded CSS data in virtual file paths as the source query parameter can contain / and // characters, which are susceptible to path normalization in bundler plugin systems. While the source parameter should be opaque it is not URL safe and esbuild configurations can collapse ///, which corrupts the base64 data preventing compressed source data from being read.

Switching to base64url encoding replaces / with _ and + with -, making the encoded data safe for use in file paths and resilient to this class of error.

@sallustfire
fix: use base64url encoding to prevent path normalization corruption
d8f6735 
Base64-encoded CSS data in virtual file paths as the source query parameter
can contain `/` and `//` characters, which are susceptible to path
normalization in bundler plugin systems. While the source parameter should
be opaque it is not URL safe and esbuild configurations can collapse
`//` → `/`, which corrupts the base64 data preventing compressed source
data from being read.

Switching to base64url encoding replaces `/` with `_` and `+` with `-`,
making the encoded data safe for use in file paths and resilient to this class
of error.
@changeset-bot
Copy link

changeset-bot bot commented Nov 9, 2025
edited
Loading

🦋 Changeset detected

Latest commit: a674f56

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages
Name Type
@vanilla-extract/integration Patch
@vanilla-extract/compiler Patch
@vanilla-extract/esbuild-plugin Patch
@vanilla-extract/jest-transform Patch
@vanilla-extract/parcel-transformer Patch
@vanilla-extract/rollup-plugin Patch
@vanilla-extract/vite-plugin Patch
@vanilla-extract/webpack-plugin Patch
@vanilla-extract/next-plugin Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@sallustfire
Copy link
Author

sallustfire commented Nov 9, 2025

We encountered this in production using @vanilla-extract/esbuild-plugin with a CSS file where gzip+base64 produced
a // sequence:

  • onResolve receives: ...?source=#H4sI...4//feL... (509 chars)
  • onLoad receives: ...?source=#H4sI...4/feL... (508 chars) ← corrupted
  • Result: Error: incorrect header check from gunzip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sallustfire