Possible DoS on public esm.sh, many compilations of the same package/versions

[NadhifRadityo]

We appear to be seeing an automated flood of compilation requests against the public esm.sh service. Many different version builds of the same package (React) being queued/started at the same time. That looks like either a misbehaving client or an intentional attempt to exhaust CPU/memory I/O by forcing repeated on-demand compilations.

What I observed

• Large number of install/pending compilation entries (same package family, many versions) created within the same minute.
• Timestamps are clustered (same createdAt time across many entries), suggesting an automated script or a looped client.
• The service ends up spending CPU and memory compiling many different small variations rather than serving prebuilt artifacts, which can cause high load and degrade service for everyone.

(See the following screenshot of the status log showing many react@.../react.mjs, @solana/web3 entries created in quick succession.

Because of this sudden flood of builds, it looks like the compilation queue is getting backed up.
My own requests to esm.sh (for completely unrelated packages) are now being delayed or failing entirely, presumably because my build jobs are being placed at the back of the queue.

So while this might not be a deliberate attack, it effectively acts like a denial-of-service for everyone else using the public instance of esm.sh.

Also, if whoever is running the version sweep sees this: please pause your job. It’s really slowing down the public endpoint for everyone.