From 9910169187ca6004dcd65bbbf3ad1b58dfaac7d9 Mon Sep 17 00:00:00 2001
From: shmam <shmam@github.com>
Date: Thu, 5 Jun 2025 11:27:13 -0400
Subject: [PATCH 1/2] fix: adding validation for scoped packages that begin
 with one or more periods

---
 lib/index.js  |  7 ++++++-
 test/index.js | 15 +++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index fd800d5..1501796 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -30,7 +30,7 @@ function validate (name) {
     errors.push('name length must be greater than zero')
   }
 
-  if (name.match(/^\./)) {
+  if (name.startsWith('.')) {
     errors.push('name cannot start with a period')
   }
 
@@ -75,6 +75,11 @@ function validate (name) {
     if (nameMatch) {
       var user = nameMatch[1]
       var pkg = nameMatch[2]
+
+      if (pkg.startsWith('.')) {
+        errors.push('name cannot start with a period')
+      }
+
       if (encodeURIComponent(user) === user && encodeURIComponent(pkg) === pkg) {
         return done(warnings, errors)
       }
diff --git a/test/index.js b/test/index.js
index 84a11ea..403b8d5 100644
--- a/test/index.js
+++ b/test/index.js
@@ -53,6 +53,21 @@ test('validate-npm-package-name', function (t) {
     validForOldPackages: false,
     errors: ['name cannot start with a period'] })
 
+  t.same(validate('@npm/.'), {
+    validForNewPackages: false,
+    validForOldPackages: false,
+    errors: ['name cannot start with a period'] })
+
+  t.same(validate('@npm/..'), {
+    validForNewPackages: false,
+    validForOldPackages: false,
+    errors: ['name cannot start with a period'] })
+
+  t.same(validate('@npm/.package'), {
+    validForNewPackages: false,
+    validForOldPackages: false,
+    errors: ['name cannot start with a period'] })
+
   t.same(validate('_start-with-underscore'), {
     validForNewPackages: false,
     validForOldPackages: false,

From 976de155843f7120b49d5089bc014e0d4ce416f8 Mon Sep 17 00:00:00 2001
From: shmam <shmam@github.com>
Date: Thu, 5 Jun 2025 11:59:08 -0400
Subject: [PATCH 2/2] chore: template-oss fixes

---
 .github/workflows/audit.yml               | 3 +++
 .github/workflows/ci-release.yml          | 4 ++++
 .github/workflows/ci.yml                  | 3 +++
 .github/workflows/codeql-analysis.yml     | 3 +++
 .github/workflows/pull-request.yml        | 3 +++
 .github/workflows/release-integration.yml | 4 ++++
 .github/workflows/release.yml             | 1 +
 7 files changed, 21 insertions(+)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index a3ae725..85282bd 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -8,6 +8,9 @@ on:
     # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
     - cron: "0 8 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     name: Audit Dependencies
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index 673f9ca..d9fcb92 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -18,6 +18,10 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   lint-all:
     name: Lint All
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a44b227..b991984 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ on:
     # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 15c8efe..af848e1 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,6 +13,9 @@ on:
     # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
     - cron: "0 10 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 7dbdfd4..c69932d 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,6 +10,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: Lint Commits
diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
index 130578e..9ca9a2b 100644
--- a/.github/workflows/release-integration.yml
+++ b/.github/workflows/release-integration.yml
@@ -19,6 +19,10 @@ on:
       PUBLISH_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     name: Publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 75acebb..53ff3c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -244,6 +244,7 @@ jobs:
     if: needs.release.outputs.releases
     uses: ./.github/workflows/release-integration.yml
     permissions:
+      contents: read
       id-token: write
     secrets:
       PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}