🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)

typescript-bot · jakebailey · web-flow · commit ad1c695fada6 · 2026-04-07T10:24:50.000-07:00
Co-authored-by: Jake Bailey &lt;5341706+jakebailey@users.noreply.github.com&gt;
diff --git a/src/jsTyping/jsTyping.ts b/src/jsTyping/jsTyping.ts
@@ -327,7 +327,8 @@ export const enum NameValidationResult {
     NameTooLong,
     NameStartsWithDot,
     NameStartsWithUnderscore,
-    NameContainsNonURISafeCharacters,
+    NameContainsInvalidCharacters,
+    NameContainsNonURISafeCharacters = NameContainsInvalidCharacters, // for backward compatibility
 }
 
 const maxPackageNameLength = 214;
@@ -381,8 +382,8 @@ function validatePackageNameWorker(packageName: string, supportScopedPackage: bo
             return NameValidationResult.Ok;
         }
     }
-    if (encodeURIComponent(packageName) !== packageName) {
-        return NameValidationResult.NameContainsNonURISafeCharacters;
+    if (!/^[\w.-]+$/.test(packageName)) {
+        return NameValidationResult.NameContainsInvalidCharacters;
     }
     return NameValidationResult.Ok;
 }
@@ -405,8 +406,8 @@ function renderPackageNameValidationFailureWorker(typing: string, result: NameVa
             return `'${typing}':: ${kind} name '${name}' cannot start with '.'`;
         case NameValidationResult.NameStartsWithUnderscore:
             return `'${typing}':: ${kind} name '${name}' cannot start with '_'`;
-        case NameValidationResult.NameContainsNonURISafeCharacters:
-            return `'${typing}':: ${kind} name '${name}' contains non URI safe characters`;
+        case NameValidationResult.NameContainsInvalidCharacters:
+            return `'${typing}':: ${kind} name '${name}' contains invalid characters`;
         case NameValidationResult.Ok:
             return Debug.fail(); // Shouldn't have called this.
         default:
diff --git a/src/testRunner/unittests/tsserver/typingsInstaller.ts b/src/testRunner/unittests/tsserver/typingsInstaller.ts
@@ -1524,10 +1524,11 @@ describe("unittests:: tsserver:: typingsInstaller:: Validate package name:", ()
     it("package name cannot start with underscore", () => {
         assert.equal(validatePackageName("_foo"), NameValidationResult.NameStartsWithUnderscore);
     });
-    it("package non URI safe characters are not supported", () => {
-        assert.equal(validatePackageName("  scope  "), NameValidationResult.NameContainsNonURISafeCharacters);
-        assert.equal(validatePackageName("; say ‘Hello from TypeScript!’ #"), NameValidationResult.NameContainsNonURISafeCharacters);
-        assert.equal(validatePackageName("a/b/c"), NameValidationResult.NameContainsNonURISafeCharacters);
+    it("package invalid characters are not supported", () => {
+        assert.equal(validatePackageName("  scope  "), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("; say ‘Hello from TypeScript!’ #"), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("a/b/c"), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("react'test"), NameValidationResult.NameContainsInvalidCharacters);
     });
     it("scoped package name is supported", () => {
         assert.equal(validatePackageName("@scope/bar"), NameValidationResult.Ok);
@@ -1540,20 +1541,20 @@ describe("unittests:: tsserver:: typingsInstaller:: Validate package name:", ()
         assert.deepEqual(validatePackageName("@_scope/bar"), { name: "_scope", isScopeName: true, result: NameValidationResult.NameStartsWithUnderscore });
         assert.deepEqual(validatePackageName("@_scope/_bar"), { name: "_scope", isScopeName: true, result: NameValidationResult.NameStartsWithUnderscore });
     });
-    it("scope name in scoped package name with non URI safe characters are not supported", () => {
-        assert.deepEqual(validatePackageName("@  scope  /bar"), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@; say ‘Hello from TypeScript!’ #/bar"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@  scope  /  bar  "), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
+    it("scope name in scoped package name with invalid characters are not supported", () => {
+        assert.deepEqual(validatePackageName("@  scope  /bar"), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@; say ‘Hello from TypeScript!’ #/bar"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@  scope  /  bar  "), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
     });
     it("package name in scoped package name cannot start with dot", () => {
         assert.deepEqual(validatePackageName("@scope/.bar"), { name: ".bar", isScopeName: false, result: NameValidationResult.NameStartsWithDot });
     });
     it("package name in scoped package name cannot start with underscore", () => {
         assert.deepEqual(validatePackageName("@scope/_bar"), { name: "_bar", isScopeName: false, result: NameValidationResult.NameStartsWithUnderscore });
     });
-    it("package name in scoped package name with non URI safe characters are not supported", () => {
-        assert.deepEqual(validatePackageName("@scope/  bar  "), { name: "  bar  ", isScopeName: false, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@scope/; say ‘Hello from TypeScript!’ #"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: false, result: NameValidationResult.NameContainsNonURISafeCharacters });
+    it("package name in scoped package name with invalid characters are not supported", () => {
+        assert.deepEqual(validatePackageName("@scope/  bar  "), { name: "  bar  ", isScopeName: false, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@scope/; say ‘Hello from TypeScript!’ #"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: false, result: NameValidationResult.NameContainsInvalidCharacters });
     });
 });
 
diff --git a/tests/baselines/reference/tsserver/typingsInstaller/malformed-packagejson.js b/tests/baselines/reference/tsserver/typingsInstaller/malformed-packagejson.js
@@ -200,7 +200,7 @@ Info seq  [hh:mm:ss:mss] FileWatcher:: Added:: WatchInfo: /home/src/projects/pro
 Info seq  [hh:mm:ss:mss] DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer
 Info seq  [hh:mm:ss:mss] Elapsed:: *ms DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer
 TI:: [hh:mm:ss:mss] Installing typings ["co } }"]
-TI:: [hh:mm:ss:mss] 'co } }':: Package name 'co } }' contains non URI safe characters
+TI:: [hh:mm:ss:mss] 'co } }':: Package name 'co } }' contains invalid characters
 TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings
 TI:: [hh:mm:ss:mss] Sending response:
     {
diff --git a/tests/baselines/reference/tsserver/typingsInstaller/should-handle-node-core-modules.js b/tests/baselines/reference/tsserver/typingsInstaller/should-handle-node-core-modules.js
@@ -654,7 +654,7 @@ TI:: [hh:mm:ss:mss] Sending response:
       "projectName": "/dev/null/inferredProject1*"
     }
 TI:: [hh:mm:ss:mss] Installing typings ["s tream"]
-TI:: [hh:mm:ss:mss] 's tream':: Package name 's tream' contains non URI safe characters
+TI:: [hh:mm:ss:mss] 's tream':: Package name 's tream' contains invalid characters
 TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings
 TI:: [hh:mm:ss:mss] Sending response:
     {
diff --git a/tests/baselines/reference/tsserver/typingsInstaller/should-not-initialize-invaalid-package-names.js b/tests/baselines/reference/tsserver/typingsInstaller/should-not-initialize-invaalid-package-names.js
@@ -160,7 +160,7 @@ Info seq  [hh:mm:ss:mss] FileWatcher:: Added:: WatchInfo: /home/src/projects/pro
 Info seq  [hh:mm:ss:mss] DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer
 Info seq  [hh:mm:ss:mss] Elapsed:: *ms DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer
 TI:: [hh:mm:ss:mss] Installing typings ["; say ‘Hello from TypeScript!’ #"]
-TI:: [hh:mm:ss:mss] '; say ‘Hello from TypeScript!’ #':: Package name '; say ‘Hello from TypeScript!’ #' contains non URI safe characters
+TI:: [hh:mm:ss:mss] '; say ‘Hello from TypeScript!’ #':: Package name '; say ‘Hello from TypeScript!’ #' contains invalid characters
 TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings
 TI:: [hh:mm:ss:mss] Sending response:
     {

Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,8 @@ export const enum NameValidationResult {`
`327`	`327`	`NameTooLong,`
`328`	`328`	`NameStartsWithDot,`
`329`	`329`	`NameStartsWithUnderscore,`
`330`		`- NameContainsNonURISafeCharacters,`
	`330`	`+ NameContainsInvalidCharacters,`
	`331`	`+ NameContainsNonURISafeCharacters = NameContainsInvalidCharacters, // for backward compatibility`
`331`	`332`	`}`
`332`	`333`
`333`	`334`	`const maxPackageNameLength = 214;`
`@@ -381,8 +382,8 @@ function validatePackageNameWorker(packageName: string, supportScopedPackage: bo`
`381`	`382`	`return NameValidationResult.Ok;`
`382`	`383`	`}`
`383`	`384`	`}`
`384`		`- if (encodeURIComponent(packageName) !== packageName) {`
`385`		`- return NameValidationResult.NameContainsNonURISafeCharacters;`
	`385`	`+ if (!/^[\w.-]+$/.test(packageName)) {`
	`386`	`+ return NameValidationResult.NameContainsInvalidCharacters;`
`386`	`387`	`}`
`387`	`388`	`return NameValidationResult.Ok;`
`388`	`389`	`}`
`@@ -405,8 +406,8 @@ function renderPackageNameValidationFailureWorker(typing: string, result: NameVa`
`405`	`406`	return `'${typing}':: ${kind} name '${name}' cannot start with '.'`;
`406`	`407`	`case NameValidationResult.NameStartsWithUnderscore:`
`407`	`408`	return `'${typing}':: ${kind} name '${name}' cannot start with '_'`;
`408`		`- case NameValidationResult.NameContainsNonURISafeCharacters:`
`409`		- return `'${typing}':: ${kind} name '${name}' contains non URI safe characters`;
	`409`	`+ case NameValidationResult.NameContainsInvalidCharacters:`
	`410`	+ return `'${typing}':: ${kind} name '${name}' contains invalid characters`;
`410`	`411`	`case NameValidationResult.Ok:`
`411`	`412`	`return Debug.fail(); // Shouldn't have called this.`
`412`	`413`	`default:`
Original file line number	Diff line number	Diff line change
`@@ -200,7 +200,7 @@ Info seq [hh:mm:ss:mss] FileWatcher:: Added:: WatchInfo: /home/src/projects/pro`
`200`	`200`	`Info seq [hh:mm:ss:mss] DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer`
`201`	`201`	`Info seq [hh:mm:ss:mss] Elapsed:: ms DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1 WatchType: Directory location for typing installer`
`202`	`202`	`TI:: [hh:mm:ss:mss] Installing typings ["co } }"]`
`203`		`-TI:: [hh:mm:ss:mss] 'co } }':: Package name 'co } }' contains non URI safe characters`
	`203`	`+TI:: [hh:mm:ss:mss] 'co } }':: Package name 'co } }' contains invalid characters`
`204`	`204`	`TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings`
`205`	`205`	`TI:: [hh:mm:ss:mss] Sending response:`
`206`	`206`	`{`
Original file line number	Diff line number	Diff line change
`@@ -654,7 +654,7 @@ TI:: [hh:mm:ss:mss] Sending response:`
`654`	`654`	`"projectName": "/dev/null/inferredProject1*"`
`655`	`655`	`}`
`656`	`656`	`TI:: [hh:mm:ss:mss] Installing typings ["s tream"]`
`657`		`-TI:: [hh:mm:ss:mss] 's tream':: Package name 's tream' contains non URI safe characters`
	`657`	`+TI:: [hh:mm:ss:mss] 's tream':: Package name 's tream' contains invalid characters`
`658`	`658`	`TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings`
`659`	`659`	`TI:: [hh:mm:ss:mss] Sending response:`
`660`	`660`	`{`
Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ Info seq [hh:mm:ss:mss] FileWatcher:: Added:: WatchInfo: /home/src/projects/pro`
`160`	`160`	`Info seq [hh:mm:ss:mss] DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1* WatchType: Directory location for typing installer`
`161`	`161`	`Info seq [hh:mm:ss:mss] Elapsed:: ms DirectoryWatcher:: Added:: WatchInfo: /home/src/projects/project/node_modules 1 undefined Project: /dev/null/inferredProject1 WatchType: Directory location for typing installer`
`162`	`162`	`TI:: [hh:mm:ss:mss] Installing typings ["; say ‘Hello from TypeScript!’ #"]`
`163`		`-TI:: [hh:mm:ss:mss] '; say ‘Hello from TypeScript!’ #':: Package name '; say ‘Hello from TypeScript!’ #' contains non URI safe characters`
	`163`	`+TI:: [hh:mm:ss:mss] '; say ‘Hello from TypeScript!’ #':: Package name '; say ‘Hello from TypeScript!’ #' contains invalid characters`
`164`	`164`	`TI:: [hh:mm:ss:mss] All typings are known to be missing or invalid - no need to install more typings`
`165`	`165`	`TI:: [hh:mm:ss:mss] Sending response:`
`166`	`166`	`{`