fix: Reject dependency names with leading/trailing whitespace (fixes duplicate installs)#7124
Conversation
|
I think there are stuff that can support package names with trailing whitespace? (e.g. But the root cause of #7099 is that when deciding what URL to call on the npm registry we just plop the package scope and names into The npm docs does list some restriction on package names:
Theoretically, a custom registry can allow these rules to be violated, allowing packages with names containing non-URL-safe character to resolve (by accepting urlencoded package names in URLs). But looks like All of that is to say, while I think this solution is fine, I do think I would be better to either
|
|
I see. I’ve updated the approach to encode the package name when building URLs at the |
What's the problem this PR addresses?
Yarn currently accepts dependency names with leading or trailing whitespace in
package.json. For example:{ "dependencies": { "lodash": "^4.17.21", "lodash ": "^4.17.20" } }Closes #7099
How did you fix it?
The fix introduces validation at the manifest parsing stage to reject dependency names with leading or trailing whitespace.
Checklist