fix(path): handle malformed encoded pathnames without throwing

[birkskyum]

resolves #1361

• decodePathname throws URIError on malformed percent-encoded pathname #1361

Summary by CodeRabbit

• Bug Fixes

  • Improved handling of malformed URL paths to prevent errors and ensure stability when encountering invalid path encodings.

• Tests

  • Added unit tests to verify URL decoding behavior and preservation of encoded sequences, reducing regression risk.

[coderabbitai]

📝 Walkthrough

Walkthrough

decodePathname() in src/utils/internal/path.ts now wraps the decodeURI() call in a try/catch and returns the original pathname on decode errors (malformed percent-encoding). A new unit test test/unit/path.test.ts verifies malformed, valid, and %25-preservation behaviors.

Changes

Cohort / File(s)	Summary
Error Handling Enhancement src/utils/internal/path.ts	Wrapped decodeURI() in a try/catch; on failure returns the original pathname. Existing %25 -> %2525 preservation logic remains.
Test Coverage test/unit/path.test.ts	Added tests for decodePathname() covering malformed percent-encodings (returned unchanged), valid decoding, and preserved %25 sequences.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I nibble bugs and mend the trail,
If bytes go wrong, I leave the tale.
I wrap my paws around the bite,
Return the path and keep things light.
Hops and tests — all snug tonight. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: wrapping decodePathname with error handling to prevent throwing on malformed percent-encoded pathnames.
Linked Issues check	✅ Passed	The pull request fully implements the requirements from issue #1361: adding try/catch error handling to decodePathname with %25 preservation logic and returning original pathname on decode failure.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue #1361: the implementation change in src/utils/internal/path.ts and test coverage in test/unit/path.test.ts are both in scope.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/unit/path.test.ts`:
- Around line 4-22: Replace the top-level describe with the cross-runtime test
harness by using describeMatrix instead of describe (e.g. change describe("path
utilities", () => { ... }) to describeMatrix("path utilities", () => { ... })),
ensure describeMatrix is imported from your test matrix helper where other
matrix tests import it, and keep the existing inner suite and assertions
(including decodePathname) unchanged so the same tests run under both web and
node runtimes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 10fefb88-0af5-4b71-ad90-eb4977689c3c

📥 Commits

Reviewing files that changed from the base of the PR and between 0e22783 and d742bd8.

📒 Files selected for processing (2)

• src/utils/internal/path.ts
• test/unit/path.test.ts

[pi0]

Wouldn't this impose a security risk surface with incosistent path handling? I suggest making silent fallback behavior opt-in with a h3 global config like strictPaths: false and pass to decode util if really necessary.

[birkskyum]

closed by TanStack/router#7140