fix: scoped names validate blacklist/underscore/core module

Author: owlstronaut

README.md

@@ -29,7 +29,7 @@ Below is a list of rules that valid `npm` package name should conform to.
 - package name should not start with `.` or `_`
 - package name should *not* contain any spaces
 - package name should *not* contain any of the following characters: `~)('!*`
-- package name *cannot* be the same as a node.js/io.js core module nor a reserved/blacklisted name. For example, the following names are invalid:
+- package name *cannot* be the same as a node.js/io.js core module nor a reserved/excluded name. For example, the following names are invalid:
     + http
     + stream
     + node_modules

lib/index.js

@@ -2,7 +2,7 @@
 const { builtinModules: builtins } = require('module')
 
 var scopedPackagePattern = new RegExp('^(?:@([^/]+?)[/])?([^/]+?)$')
-var blacklist = [
+var exclusionList = [
   'node_modules',
   'favicon.ico',
 ]
@@ -43,9 +43,9 @@ function validate (name) {
   }
 
   // No funny business
-  blacklist.forEach(function (blacklistedName) {
-    if (name.toLowerCase() === blacklistedName) {
-      errors.push(blacklistedName + ' is a blacklisted name')
+  exclusionList.forEach(function (excludedName) {
+    if (name.toLowerCase() === excludedName) {
+      errors.push(excludedName + ' is not a valid package name')
     }
   })
 
@@ -80,6 +80,19 @@ function validate (name) {
         errors.push('name cannot start with a period')
       }
 
+      if (pkg.match(/^_/)) {
+        errors.push('name cannot start with an underscore')
+      }
+
+      exclusionList.forEach(function (excludedName) {
+        if (pkg.toLowerCase() === excludedName) {
+          errors.push(excludedName + ' is not a valid package name')
+        }
+      })
+
+      // Note: Core module names are allowed in scoped packages
+      // This is intentional - @user/http is a valid package name
+
       if (encodeURIComponent(user) === user && encodeURIComponent(pkg) === pkg) {
         return done(warnings, errors)
       }

test/index.js

@@ -26,6 +26,25 @@ test('validate-npm-package-name', function (t) {
     warnings: ['name can no longer contain special characters ("~\'!()*")'],
   })
 
+  // Scoped package validation for excluded names, underscore starts, and core modules
+
+  t.same(validate('@user/node_modules'), {
+    validForNewPackages: false,
+    validForOldPackages: false,
+    errors: ['node_modules is not a valid package name'],
+  })
+
+  t.same(validate('@user/_package'), {
+    validForNewPackages: false,
+    validForOldPackages: false,
+    errors: ['name cannot start with an underscore'],
+  })
+
+  t.same(validate('@user/http'), {
+    validForNewPackages: true,
+    validForOldPackages: true,
+  })
+
   // Invalid
 
   t.same(validate(null), {
@@ -98,12 +117,12 @@ test('validate-npm-package-name', function (t) {
   t.same(validate('node_modules'), {
     validForNewPackages: false,
     validForOldPackages: false,
-    errors: ['node_modules is a blacklisted name'] })
+    errors: ['node_modules is not a valid package name'] })
 
   t.same(validate('favicon.ico'), {
     validForNewPackages: false,
     validForOldPackages: false,
-    errors: ['favicon.ico is a blacklisted name'] })
+    errors: ['favicon.ico is not a valid package name'] })
 
   // Node/IO Core