fix: validate npm package names

Author: danielroe

app/pages/[...package].vue

@@ -2,6 +2,7 @@
 import { joinURL } from 'ufo'
 import type { PackumentVersion, NpmVersionDist } from '#shared/types'
 import type { JsrPackageInfo } from '#shared/types/jsr'
+import { assertValidPackageName } from '#shared/utils/npm'
 
 definePageMeta({
   name: 'package',
@@ -37,6 +38,10 @@ const parsedRoute = computed(() => {
 const packageName = computed(() => parsedRoute.value.packageName)
 const requestedVersion = computed(() => parsedRoute.value.requestedVersion)
 
+if (import.meta.server) {
+  assertValidPackageName(packageName.value)
+}
+
 // Extract org name from scoped package (e.g., "@nuxt/kit" -> "nuxt")
 const orgName = computed(() => {
   const name = packageName.value

package.json

@@ -44,6 +44,7 @@
     "shiki": "^3.21.0",
     "ufo": "^1.6.3",
     "unplugin-vue-router": "^0.19.2",
+    "validate-npm-package-name": "^7.0.2",
     "vue": "3.5.27",
     "vue-data-ui": "^3.13.2"
   },
@@ -56,6 +57,7 @@
     "@types/npmcli__arborist": "^6.3.2",
     "@types/sanitize-html": "^2.16.0",
     "@types/semver": "^7.7.1",
+    "@types/validate-npm-package-name": "^4.0.2",
     "@unocss/nuxt": "^66.6.0",
     "@unocss/preset-wind4": "^66.6.0",
     "@vite-pwa/assets-generator": "^1.0.2",

pnpm-lock.yaml

@@ -14,6 +14,7 @@ export default defineCachedEventHandler<Promise<JsrPackageInfo>>(
     if (!pkgPath) {
       throw createError({ statusCode: 400, message: 'Package name is required' })
     }
+    assertValidPackageName(pkgPath)
 
     return await fetchJsrPackageInfo(pkgPath)
   },

server/api/jsr/[...pkg].get.ts

@@ -6,6 +6,7 @@ export default defineCachedEventHandler(
     }
 
     const packageName = pkg.replace(/\//g, '/')
+    assertValidPackageName(packageName)
 
     try {
       return await fetchNpmPackage(packageName)

server/api/registry/[...pkg].get.ts

@@ -113,6 +113,7 @@ export default defineCachedEventHandler(
         message: 'Package name, version, and file path are required',
       })
     }
+    assertValidPackageName(packageName)
 
     try {
       const content = await fetchFileContent(packageName, version, filePath)

server/api/registry/file/[...pkg].get.ts

@@ -27,6 +27,7 @@ export default defineCachedEventHandler(
     if (!packageName || !version) {
       throw createError({ statusCode: 400, message: 'Package name and version are required' })
     }
+    assertValidPackageName(packageName)
 
     try {
       const jsDelivrData = await fetchFileTree(packageName, version)

server/api/registry/files/[...pkg].get.ts

@@ -37,6 +37,7 @@ export default defineCachedEventHandler(
     if (!packageName) {
       throw createError({ statusCode: 400, message: 'Package name is required' })
     }
+    assertValidPackageName(packageName)
 
     // If no version specified, resolve to latest
     let version = requestedVersion

server/api/registry/install-size/[...pkg].get.ts

@@ -58,6 +58,7 @@ export default defineCachedEventHandler(
     if (!packageName) {
       throw createError({ statusCode: 400, message: 'Package name is required' })
     }
+    assertValidPackageName(packageName)
 
     try {
       const packageData = await fetchNpmPackage(packageName)

server/api/registry/readme/[...pkg].get.ts

@@ -0,0 +1,16 @@
+import validatePackageName from 'validate-npm-package-name'
+
+/**
+ * Validate an npm package name and throw an HTTP error if invalid.
+ * Uses validate-npm-package-name to check against npm naming rules.
+ */
+export function assertValidPackageName(name: string): void {
+  const result = validatePackageName(name)
+  if (!result.validForNewPackages && !result.validForOldPackages) {
+    const errors = [...(result.errors ?? []), ...(result.warnings ?? [])]
+    throw createError({
+      statusCode: 400,
+      message: `Invalid package name: ${errors[0] ?? 'unknown error'}`,
+    })
+  }
+}