[BUG] @explodingcabbage/.. is a valid package name #135
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
This library says that package names like @explodingcabbage/.. are valid
> require("validate-npm-package-name/package.json").version
6.0.0
> require("validate-npm-package-name")('@explodingcabbage/..')
{ validForNewPackages: true, validForOldPackages: true }
And it looks like this package was published to the registry. I can't link to the registry page for obvious reasons, but it appears in search results.
https://www.npmjs.com/search?q=%40explodingcabbage%2F..
It appears in the replication _changes API
$ curl -sS -H 'npm-replication-opt-in: true' 'https://replicate.npmjs.com/_changes?since=42885799' | jq -c '.results[]' | rg '\.\.'
{"seq":42885800,"id":"@explodingcabbage/..","changes":[{"rev":"1-db4849f04fd7fd1557635082d56a226b"}]}
But there's no way to fetch the pacument from the registry. Using /@explodingcabbage/.. resolves to /.
Using %2E%2E either has the same result, or returns and Invalid pathname error
curl 'https://registry.npmjs.org/@explodingcabbage/%2E%2E'
{"error":"Invalid pathname when stringifying URL."}
npm install will not install the module, or add it to package.json, probably because npm resolves this as a path to the current module?
$ npm install @explodingcabbage/..
$ ls node_modules
ls: cannot access 'node_modules': No such file or directory
Forcing npm to treat the argument as a registry dependency yields an error:
$ npm install 'npm:@explodingcabbage/..@*'
npm error code E404
npm error 404 Not Found - GET https://registry.npmjs.org/@explodingcabbage%2f.. - Not found
Expected Behavior
Since it doesn't appear possible to install these packages, it should be invalid.
The name ends up being part of a URL, an argument on the command line, and a folder name. Therefore, the name can't contain any non-URL-safe characters.
.. may not be non-URL-safe characters, but it feels like this rule should apply