refactor: address Copilot review feedback

zkochan · zkochan · commit 0cba981cd42a · 2026-04-29T02:14:12.000+02:00
* Relax named-registry parser to accept unscoped names (work:lodash@^4) and
  fall back to any (scoped or unscoped) outer alias for &lt;prefix&gt;:&lt;range&gt;.
  Drops the validateScopedPackageName helper; scoped-name validation stays
  inline for the @-prefixed branch.
* Optimize replaceVersionInBareSpecifier hot path: check 'npm:' first then
  for-loop over namedRegistryPrefixes, avoiding a per-call array allocation.
* Guard replaceEnvInStringValues against arrays so a YAML list under
  registries:/namedRegistries: surfaces as a config error instead of being
  silently coerced to {0: ..., 1: ...}.
diff --git a/config/reader/src/getOptionsFromRootManifest.ts b/config/reader/src/getOptionsFromRootManifest.ts
@@ -66,7 +66,7 @@ function replaceEnvInSettings (settings: PnpmSettings): PnpmSettings {
 }
 
 function replaceEnvInStringValues (value: unknown): unknown {
-  if (value == null || typeof value !== 'object') return value
+  if (value == null || typeof value !== 'object' || Array.isArray(value)) return value
   const out: Record<string, unknown> = {}
   for (const [k, v] of Object.entries(value as Record<string, unknown>)) {
     out[k] = typeof v === 'string' ? envReplace(v, process.env) : v
diff --git a/installing/deps-resolver/src/replaceVersionInBareSpecifier.ts b/installing/deps-resolver/src/replaceVersionInBareSpecifier.ts
@@ -8,7 +8,17 @@ export function replaceVersionInBareSpecifier (
   if (semver.validRange(bareSpecifier)) {
     return version
   }
-  const prefix = ['npm:', ...namedRegistryPrefixes].find((p) => bareSpecifier.startsWith(p))
+  let prefix: string | undefined
+  if (bareSpecifier.startsWith('npm:')) {
+    prefix = 'npm:'
+  } else {
+    for (const candidate of namedRegistryPrefixes) {
+      if (bareSpecifier.startsWith(candidate)) {
+        prefix = candidate
+        break
+      }
+    }
+  }
   if (prefix == null) {
     return bareSpecifier
   }
diff --git a/resolving/npm-resolver/src/parseBareSpecifier.ts b/resolving/npm-resolver/src/parseBareSpecifier.ts
@@ -95,9 +95,9 @@ export interface NamedRegistryPackageSpec extends RegistryPackageSpec {
 // Parses a named-registry specifier of the shape `<alias>:<body>` into a
 // RegistryPackageSpec. Returns `null` when the specifier does not use one of
 // the configured aliases, so the caller can fall through to other resolvers.
-// Supported shapes (mirrors the `gh:` prefix, which is the canonical example):
-// - `<alias>:@<owner>/<name>[@<version_selector>]`
-// - `<alias>:<version_selector>` when paired with a scoped package alias
+// Supported shapes:
+// - `<alias>:[@<owner>/]<name>[@<version_selector>]`
+// - `<alias>:<version_selector>` paired with a package alias
 export function parseNamedRegistrySpecifierToRegistryPackageSpec (
   rawSpecifier: string,
   knownAliases: ReadonlySet<string>,
@@ -113,27 +113,45 @@ export function parseNamedRegistrySpecifierToRegistryPackageSpec (
   let pkgName: string
   let versionSelector: string | undefined
 
-  if (body[0] === '@') {
-    // syntax: <alias>:@<owner>/<name>[@<version_selector>]
+  if (semver.validRange(body) != null) {
+    // `<alias>:<version_selector>` — fall back to the dependency alias as
+    // the package name. Unresolvable without one.
+    if (!packageAlias) return null
+    pkgName = packageAlias
+    versionSelector = body
+  } else if (body[0] === '@') {
+    // `<alias>:@<owner>/<name>[@<version_selector>]` — scoped package.
     const index = body.lastIndexOf('@')
     if (index === 0) {
       pkgName = body
     } else {
       pkgName = body.substring(0, index)
       versionSelector = body.substring(index + '@'.length)
     }
+    if (pkgName.indexOf('/') === -1 || pkgName.endsWith('/')) {
+      throw new PnpmError(
+        'INVALID_NAMED_REGISTRY_PACKAGE_NAME',
+        `The package name '${pkgName}' in named registry '${registryName}:' is invalid`
+      )
+    }
   } else if (packageAlias?.startsWith('@')) {
-    // syntax: <alias>:<version_selector> paired with a scoped package alias
+    // `<alias>:<tag>` paired with a scoped alias — body is a version
+    // selector (tag/dist-tag). Mirrors GitHub Packages, where the package
+    // is always scoped and a bare body is a tag.
     pkgName = packageAlias
     versionSelector = body
   } else {
-    // No scoped alias means we cannot know the package name — let other
-    // resolvers try.
-    return null
+    // `<alias>:<name>[@<version_selector>]` — unscoped package in body.
+    const index = body.lastIndexOf('@')
+    if (index < 1) {
+      pkgName = body
+    } else {
+      pkgName = body.substring(0, index)
+      versionSelector = body.substring(index + '@'.length)
+    }
+    if (!pkgName) return null
   }
 
-  validateScopedPackageName(pkgName, registryName)
-
   const selector = getVersionSelectorType(versionSelector ?? defaultTag)
   if (selector == null) return null
 
@@ -144,19 +162,3 @@ export function parseNamedRegistrySpecifierToRegistryPackageSpec (
     registryName,
   }
 }
-
-function validateScopedPackageName (pkgName: string, registryName: string): void {
-  if (pkgName[0] !== '@') {
-    throw new PnpmError(
-      'MISSING_NAMED_REGISTRY_PACKAGE_SCOPE',
-      `Package '${pkgName}' from named registry '${registryName}:' must have a scope (e.g. '@owner/name')`
-    )
-  }
-  const sepIndex = pkgName.indexOf('/')
-  if (sepIndex === -1 || sepIndex === pkgName.length - 1) {
-    throw new PnpmError(
-      'INVALID_NAMED_REGISTRY_PACKAGE_NAME',
-      `The package name '${pkgName}' in named registry '${registryName}:' is invalid`
-    )
-  }
-}
diff --git a/resolving/npm-resolver/test/parseBareSpecifier.test.ts b/resolving/npm-resolver/test/parseBareSpecifier.test.ts
@@ -115,15 +115,38 @@ describe('parseNamedRegistrySpecifierToRegistryPackageSpec', () => {
     }))
   })
 
-  test('does not claim <alias>:<version_selector> when no scoped alias is provided', () => {
+  test('does not claim <alias>:<version_selector> when no package alias is provided', () => {
     // No alias means we cannot know the package name — we must not hijack such specifiers.
     expect(parseNamedRegistrySpecifierToRegistryPackageSpec('gh:^1.0.0', GH_ALIASES, undefined, DEFAULT_TAG)).toBeNull()
   })
 
-  test('does not claim <alias>:<version_selector> when the alias is not scoped', () => {
-    // GitHub Packages names are always scoped. If the alias isn't, the bare specifier is
-    // probably meant for another resolver.
-    expect(parseNamedRegistrySpecifierToRegistryPackageSpec('gh:^1.0.0', GH_ALIASES, 'foo', DEFAULT_TAG)).toBeNull()
+  test('falls back to the dependency alias for <alias>:<version_selector>, scoped or not', () => {
+    // Mirrors the `npm:^1.0.0` shape — works with both scoped and unscoped aliases.
+    expect(parseNamedRegistrySpecifierToRegistryPackageSpec('gh:^1.0.0', GH_ALIASES, '@acme/foo', DEFAULT_TAG)).toMatchObject({
+      name: '@acme/foo',
+      registryName: 'gh',
+    })
+    expect(parseNamedRegistrySpecifierToRegistryPackageSpec('work:^4.0.0', new Set(['work']), 'lodash', DEFAULT_TAG)).toMatchObject({
+      name: 'lodash',
+      registryName: 'work',
+    })
+  })
+
+  test('parses unscoped <alias>:<name>[@<version_selector>]', () => {
+    // Arbitrary named registries (vlt-style) accept unscoped names too,
+    // not just GitHub Packages-style scopes.
+    expect(parseNamedRegistrySpecifierToRegistryPackageSpec('work:lodash@^4.0.0', new Set(['work']), undefined, DEFAULT_TAG)).toMatchObject({
+      name: 'lodash',
+      fetchSpec: '>=4.0.0 <5.0.0-0',
+      type: 'range',
+      registryName: 'work',
+    })
+    expect(parseNamedRegistrySpecifierToRegistryPackageSpec('work:lodash', new Set(['work']), undefined, DEFAULT_TAG)).toMatchObject({
+      name: 'lodash',
+      fetchSpec: 'latest',
+      type: 'tag',
+      registryName: 'work',
+    })
   })
 
   test('matches any alias in the configured set and reports it back to the caller', () => {
diff --git a/resolving/npm-resolver/test/resolveNamedRegistry.test.ts b/resolving/npm-resolver/test/resolveNamedRegistry.test.ts
@@ -244,15 +244,15 @@ test('resolveFromNamedRegistry() does not claim the github: git shortcut scheme'
   await expect(resolveFromNamedRegistry({ bareSpecifier: 'github:@acme/foo' }, {})).resolves.toBeNull()
 })
 
-test('resolveFromNamedRegistry() returns null when the alias is not scoped (unambiguous inputs are left for other resolvers)', async () => {
+test('resolveFromNamedRegistry() returns null when no alias is provided for a bare version selector', async () => {
   const { resolveFromNamedRegistry } = createNpmResolver(fetch, () => undefined, {
     storeDir: temporaryDirectory(),
     cacheDir: temporaryDirectory(),
     registries,
   })
 
-  // Without a scoped package alias, `gh:<version>` cannot be resolved to a GitHub Packages name.
-  await expect(resolveFromNamedRegistry({ alias: 'private', bareSpecifier: 'gh:2.0.0' }, {})).resolves.toBeNull()
+  // Without any package alias, `gh:<version>` cannot map to a package name.
+  await expect(resolveFromNamedRegistry({ bareSpecifier: 'gh:2.0.0' }, {})).resolves.toBeNull()
 })
 
 test('resolveFromNamedRegistry() throws when the specifier names an invalid scoped package', async () => {

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ function replaceEnvInSettings (settings: PnpmSettings): PnpmSettings {`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`function replaceEnvInStringValues (value: unknown): unknown {`
`69`		`- if (value == null \|\| typeof value !== 'object') return value`
	`69`	`+ if (value == null \|\| typeof value !== 'object' \|\| Array.isArray(value)) return value`
`70`	`70`	`const out: Record<string, unknown> = {}`
`71`	`71`	`for (const [k, v] of Object.entries(value as Record<string, unknown>)) {`
`72`	`72`	`out[k] = typeof v === 'string' ? envReplace(v, process.env) : v`