fix: fetch org packages via existing server route

serhalp · serhalp · commit a51d1e73b5c3 · 2026-02-07T21:35:58.000-05:00
Org packages are fetched from the npm registry api (`/-/org/{org}/package`) in two places: 1. Server route `/api/registry/org/[org]/packages.get.ts`: - calls `$fetch('https://registry.npmjs.org/-/org/{org}/package')` 2. Client composable `useOrgPackages()`: calls `$npmRegistry('/-/org/{org}/package')` The composable bypasses the server route, duplicating the registry call, org name encoding, and error handling, and bypassing the important server-side caching. But most importantly, calls to the registry from the client fail with a CORS error, since the registry doesn't allow cross-origin requests from browsers.
diff --git a/app/composables/npm/useOrgPackages.ts b/app/composables/npm/useOrgPackages.ts
@@ -92,11 +92,11 @@ export function useOrgPackages(orgName: MaybeRefOrGetter<string>) {
       // Get all package names in the org
       let packageNames: string[]
       try {
-        const { data } = await $npmRegistry<Record<string, string>>(
-          `/-/org/${encodeURIComponent(org)}/package`,
+        const { packages } = await $fetch<{ packages: string[]; count: number }>(
+          `/api/registry/org/${encodeURIComponent(org)}/packages`,
           { signal },
         )
-        packageNames = Object.keys(data)
+        packageNames = packages
       } catch (err) {
         // Check if this is a 404 (org not found)
         if (err && typeof err === 'object' && 'statusCode' in err && err.statusCode === 404) {
diff --git a/server/api/registry/org/[org]/packages.get.ts b/server/api/registry/org/[org]/packages.get.ts
@@ -1,6 +1,5 @@
-import { CACHE_MAX_AGE_ONE_HOUR } from '#shared/utils/constants'
-
-const NPM_REGISTRY = 'https://registry.npmjs.org'
+import { CACHE_MAX_AGE_ONE_HOUR, NPM_REGISTRY } from '#shared/utils/constants'
+import { FetchError } from 'ofetch'
 
 // Validation pattern for npm org names (alphanumeric with hyphens)
 const NPM_ORG_NAME_RE = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/i
@@ -37,8 +36,12 @@ export default defineCachedEventHandler(
         packages: Object.keys(data),
         count: Object.keys(data).length,
       }
-    } catch {
-      // Org doesn't exist or has no packages
+    } catch (error) {
+      // Let 404s propagate (org not found) so consumers can distinguish from empty
+      if (error instanceof FetchError && error.statusCode === 404) {
+        throw createError({ statusCode: 404, message: `Organization not found: ${org}` })
+      }
+      // For other errors (network, etc.), return empty
       return {
         packages: [],
         count: 0,
