@aikidosec/safe-chain 1.4.3 → 1.4.7

package/src/main.js

@@ -64,7 +64,11 @@ export async function main(args) {
     // Write all buffered logs
     ui.writeBufferedLogsAndStopBuffering();
 
-    if (!proxy.verifyNoMaliciousPackages()) {
+    if (proxy.hasBlockedMaliciousPackages()) {
+      return 1;
+    }
+
+    if (proxy.hasBlockedMinimumAgeRequests()) {
       return 1;
     }
 
@@ -81,7 +85,7 @@ export async function main(args) {
       ui.writeInformation(
         `${chalk.yellow(
           "ℹ",
-        )} Safe-chain: Some package versions were suppressed due to minimum age requirement.`,
+        )} Safe-chain: Some package versions were suppressed during package metadata resolution due to minimum package age.`,
       );
       ui.writeInformation(
         `  To disable this check, use: ${chalk.cyan(

package/src/packagemanager/_shared/commandErrors.js

@@ -0,0 +1,17 @@
+import { ui } from "../../environment/userInteraction.js";
+
+/**
+ * Centralized logging for package-manager command launch failures.
+ *
+ * @param {any} error - Error thrown by safeSpawn while preparing/running the command.
+ * @param {string} command - Command name that failed to execute.
+ * @returns {{status: number}}
+ */
+export function reportCommandExecutionFailure(error, command) {
+  const message = typeof error?.message === "string" ? error.message : "Unknown error";
+  ui.writeError(`Error executing command: ${message}`);
+
+  ui.writeError(`Is '${command}' installed and available on your system?`);
+
+  return { status: typeof error?.status === "number" ? error.status : 1 };
+}

package/src/packagemanager/bun/createBunPackageManager.js

@@ -1,6 +1,6 @@
-import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @returns {import("../currentPackageManager.js").PackageManager}
@@ -43,11 +43,6 @@ async function runBunCommand(command, args) {
     });
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, command);
   }
 }

package/src/packagemanager/npm/runNpmCommand.js

@@ -1,6 +1,6 @@
-import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @param {string[]} args
@@ -15,11 +15,6 @@ export async function runNpm(args) {
     });
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, "npm");
   }
 }

package/src/packagemanager/npx/runNpxCommand.js

@@ -1,6 +1,6 @@
-import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @param {string[]} args
@@ -15,11 +15,6 @@ export async function runNpx(args) {
     });
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, "npx");
   }
 }

package/src/packagemanager/pip/runPipCommand.js

@@ -9,6 +9,7 @@ import os from "node:os";
 import path from "node:path";
 import ini from "ini";
 import { spawn } from "child_process";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * Checks if this pip invocation should bypass safe-chain and spawn directly.
@@ -203,12 +204,6 @@ export async function runPip(command, args) {
 
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError(`Error executing command: ${error.message}`);
-      ui.writeError(`Is '${command}' installed and available on your system?`);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, command);
   }
 }

package/src/packagemanager/pipx/runPipXCommand.js

@@ -2,6 +2,7 @@ import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * Sets CA bundle environment variables used by Python libraries and pipx.
@@ -54,12 +55,6 @@ export async function runPipX(command, args) {
 
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError(`Error executing command: ${error.message}`);
-      ui.writeError(`Is '${command}' installed and available on your system?`);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, command);
   }
 }

package/src/packagemanager/pnpm/runPnpmCommand.js

@@ -1,6 +1,6 @@
-import { ui } from "../../environment/userInteraction.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @param {string[]} args
@@ -26,11 +26,7 @@ export async function runPnpmCommand(args, toolName = "pnpm") {
 
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      return { status: 1 };
-    }
+    const target = toolName === "pnpm" ? "pnpm" : "pnpx";
+    return reportCommandExecutionFailure(error, target);
   }
 }

package/src/packagemanager/poetry/createPoetryPackageManager.js

@@ -2,6 +2,7 @@ import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @returns {import("../currentPackageManager.js").PackageManager}
@@ -66,12 +67,6 @@ async function runPoetryCommand(args) {
     
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      ui.writeError("Is 'poetry' installed and available on your system?");
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, "poetry");
   }
 }

package/src/packagemanager/uv/runUvCommand.js

@@ -2,6 +2,7 @@ import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * Sets CA bundle environment variables used by Python libraries and uv.
@@ -60,12 +61,6 @@ export async function runUv(command, args) {
 
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError(`Error executing command: ${error.message}`);
-      ui.writeError(`Is '${command}' installed and available on your system?`);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, command);
   }
 }

package/src/packagemanager/yarn/runYarnCommand.js

@@ -1,6 +1,6 @@
-import { ui } from "../../environment/userInteraction.js";
 import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { reportCommandExecutionFailure } from "../_shared/commandErrors.js";
 
 /**
  * @param {string[]} args
@@ -18,12 +18,7 @@ export async function runYarnCommand(args) {
     });
     return { status: result.status };
   } catch (/** @type any */ error) {
-    if (error.status) {
-      return { status: error.status };
-    } else {
-      ui.writeError("Error executing command:", error.message);
-      return { status: 1 };
-    }
+    return reportCommandExecutionFailure(error, "yarn");
   }
 }
 

package/src/registryProxy/certBundle.js

@@ -8,6 +8,9 @@ import { X509Certificate } from "node:crypto";
 import { getCaCertPath } from "./certUtils.js";
 import { ui } from "../environment/userInteraction.js";
 
+/** @type {string | null} */
+let bundlePath = null;
+
 /**
  * Check if a PEM string contains only parsable cert blocks.
  * @param {string} pem - PEM-encoded certificate string
@@ -54,6 +57,11 @@ function isParsable(pem) {
  * @returns {string} Path to the combined CA bundle PEM file
  */
 export function getCombinedCaBundlePath() {
+  if (bundlePath)
+  {
+    return bundlePath;
+  }
+
   const parts = [];
 
   // 1) Safe Chain CA (for MITM'd registries)
@@ -99,9 +107,23 @@ export function getCombinedCaBundlePath() {
   }
 
   const combined = parts.filter(Boolean).join("\n");
-  const target = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`);
-  fs.writeFileSync(target, combined, { encoding: "utf8" });
-  return target;
+  bundlePath = path.join(os.tmpdir(), `safe-chain-ca-bundle-${Date.now()}.pem`);
+  fs.writeFileSync(bundlePath, combined, { encoding: "utf8" });
+  return bundlePath;
+}
+
+/**
+ * Remove the generated CA bundle file from disk.
+ */
+export function cleanupCertBundle() {
+  if (bundlePath) {
+    try {
+      fs.unlinkSync(bundlePath);
+    } catch (err) {
+      ui.writeVerbose(`Failed to cleanup the create bundle at ${bundlePath}`, err)
+    }
+    bundlePath = null;
+  }
 }
 
 /**

package/src/registryProxy/http-utils.js

@@ -15,3 +15,66 @@ export function getHeaderValueAsString(headers, headerName) {
 
   return header;
 }
+
+/**
+ * Returns a copy of headers without the provided header names, matched
+ * either exactly or case-insensitively.
+ *
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @param {string[]} headerNames
+ * @param {{ caseInsensitive?: boolean }} [options]
+ * @returns {NodeJS.Dict<string | string[]> | undefined}
+ */
+export function omitHeaders(headers, headerNames, options = {}) {
+  if (!headers) {
+    return headers;
+  }
+
+  const omittedHeaderNames = new Set(
+    options.caseInsensitive
+      ? headerNames.map((name) => name.toLowerCase())
+      : headerNames
+  );
+  /** @type {NodeJS.Dict<string | string[]>} */
+  const filteredHeaders = {};
+
+  for (const [headerName, value] of Object.entries(headers)) {
+    const comparableHeaderName = options.caseInsensitive
+      ? headerName.toLowerCase()
+      : headerName;
+    if (!omittedHeaderNames.has(comparableHeaderName)) {
+      filteredHeaders[headerName] = value;
+    }
+  }
+
+  return filteredHeaders;
+}
+
+/**
+ * Remove headers that become stale when the response body is modified.
+ *
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {void}
+ */
+export function clearCachingHeaders(headers) {
+  if (!headers) {
+    return;
+  }
+
+  const filteredHeaders = omitHeaders(headers, [
+    "etag",
+    "last-modified",
+    "cache-control",
+    "content-length",
+  ]);
+
+  if (!filteredHeaders) {
+    return;
+  }
+
+  for (const key of Object.keys(headers)) {
+    delete headers[key];
+  }
+
+  Object.assign(headers, filteredHeaders);
+}

package/src/registryProxy/interceptors/createInterceptorForEcoSystem.js

@@ -4,7 +4,7 @@ import {
   getEcoSystem,
 } from "../../config/settings.js";
 import { npmInterceptorForUrl } from "./npm/npmInterceptor.js";
-import { pipInterceptorForUrl } from "./pipInterceptor.js";
+import { pipInterceptorForUrl } from "./pip/pipInterceptor.js";
 
 /**
  * @param {string} url

package/src/registryProxy/interceptors/interceptorBuilder.js

@@ -10,6 +10,7 @@ import { EventEmitter } from "events";
  * @typedef {Object} RequestInterceptionContext
  * @property {string} targetUrl
  * @property {(packageName: string | undefined, version: string | undefined) => void} blockMalware
+ * @property {(packageName: string, version: string, message: string) => void} blockMinimumAgeRequest
  * @property {(modificationFunc: (headers: NodeJS.Dict<string | string[]>) => NodeJS.Dict<string | string[]>) => void} modifyRequestHeaders
  * @property {(modificationFunc: (body: Buffer, headers: NodeJS.Dict<string | string[]> | undefined) => Buffer) => void} modifyBody
  * @property {() => RequestInterceptionHandler} build
@@ -26,6 +27,12 @@ import { EventEmitter } from "events";
  * @property {string} version
  * @property {string} targetUrl
  * @property {number} timestamp
+ *
+ * @typedef {Object} MinimumAgeRequestBlockedEvent
+ * @property {string} packageName
+ * @property {string} version
+ * @property {string} targetUrl
+ * @property {number} timestamp
  */
 
 /**
@@ -81,10 +88,7 @@ function createRequestContext(targetUrl, eventEmitter) {
    * @param {string | undefined} version
    */
   function blockMalwareSetup(packageName, version) {
-    blockResponse = {
-      statusCode: 403,
-      message: "Forbidden - blocked by safe-chain",
-    };
+    blockResponse = createBlockResponse("Forbidden - blocked by safe-chain");
 
     // Emit the malwareBlocked event
     eventEmitter.emit("malwareBlocked", {
@@ -95,6 +99,34 @@ function createRequestContext(targetUrl, eventEmitter) {
     });
   }
 
+  /**
+   * @param {string} message
+   */
+  function blockMinimumAgeRequestSetup(
+    /** @type {string} */ packageName,
+    /** @type {string} */ version,
+    /** @type {string} */ message
+  ) {
+    blockResponse = createBlockResponse(message);
+    eventEmitter.emit("minimumAgeRequestBlocked", {
+      packageName,
+      version,
+      targetUrl,
+      timestamp: Date.now(),
+    });
+  }
+
+  /**
+   * @param {string} message
+   * @returns {{statusCode: number, message: string}}
+   */
+  function createBlockResponse(message) {
+    return {
+      statusCode: 403,
+      message,
+    };
+  }
+
   /** @returns {RequestInterceptionHandler} */
   function build() {
     /**
@@ -139,6 +171,7 @@ function createRequestContext(targetUrl, eventEmitter) {
   return {
     targetUrl,
     blockMalware: blockMalwareSetup,
+    blockMinimumAgeRequest: blockMinimumAgeRequestSetup,
     modifyRequestHeaders: (func) => reqheaderModificationFuncs.push(func),
     modifyBody: (func) => modifyBodyFuncs.push(func),
     build,

package/src/registryProxy/interceptors/minimumPackageAgeExclusions.js

@@ -0,0 +1,33 @@
+import { getMinimumPackageAgeExclusions, getEcoSystem } from "../../config/settings.js";
+import { getEquivalentPackageNames } from "../../scanning/packageNameVariants.js";
+
+/**
+ * Checks if a package name matches an exclusion pattern.
+ * Supports trailing wildcard (*) for prefix matching.
+ * @param {string} packageName
+ * @param {string} pattern
+ * @returns {boolean}
+ */
+export function matchesExclusionPattern(packageName, pattern) {
+  if (pattern.endsWith("/*")) {
+    return packageName.startsWith(pattern.slice(0, -1));
+  }
+  return packageName === pattern;
+}
+
+/**
+ * @param {string | undefined} packageName
+ * @returns {boolean}
+ */
+export function isExcludedFromMinimumPackageAge(packageName) {
+  if (!packageName) {
+    return false;
+  }
+
+  const exclusions = getMinimumPackageAgeExclusions();
+  const candidateNames = getEquivalentPackageNames(packageName, getEcoSystem());
+
+  return exclusions.some((pattern) =>
+    candidateNames.some((name) => matchesExclusionPattern(name, pattern))
+  );
+}

package/src/registryProxy/interceptors/npm/modifyNpmInfo.js

@@ -1,10 +1,7 @@
-import { getMinimumPackageAgeHours, getNpmMinimumPackageAgeExclusions } from "../../../config/settings.js";
+import { getMinimumPackageAgeHours } from "../../../config/settings.js";
 import { ui } from "../../../environment/userInteraction.js";
-import { getHeaderValueAsString } from "../../http-utils.js";
-
-const state = {
-  hasSuppressedVersions: false,
-};
+import { clearCachingHeaders, getHeaderValueAsString } from "../../http-utils.js";
+import { recordSuppressedVersion } from "../suppressedVersionsState.js";
 
 /**
  * @param {NodeJS.Dict<string | string[]>} headers
@@ -65,16 +62,6 @@ export function modifyNpmInfoResponse(body, headers) {
       return body;
     }
 
-    // Check if this package is excluded from minimum age filtering
-    const packageName = bodyJson.name;
-    const exclusions = getNpmMinimumPackageAgeExclusions();
-    if (packageName && exclusions.some((pattern) => matchesExclusionPattern(packageName, pattern))) {
-      ui.writeVerbose(
-        `Safe-chain: ${packageName} is excluded from minimum package age filtering (minimumPackageAgeExclusions setting).`
-      );
-      return body;
-    }
-
     const cutOff = new Date(
       new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
     );
@@ -92,15 +79,7 @@ export function modifyNpmInfoResponse(body, headers) {
       const timestampValue = new Date(timestamp);
       if (timestampValue > cutOff) {
         deleteVersionFromJson(bodyJson, version);
-        if (headers) {
-          // When modifying the response, the etag and last-modified headers
-          // no longer match the content so they needs to be removed before sending the response.
-          delete headers["etag"];
-          delete headers["last-modified"];
-          // Removing the cache-control header will prevent the package manager from caching
-          // the modified response.
-          delete headers["cache-control"];
-        }
+        clearCachingHeaders(headers);
       }
     }
 
@@ -124,7 +103,7 @@ export function modifyNpmInfoResponse(body, headers) {
  * @param {string} version
  */
 function deleteVersionFromJson(json, version) {
-  state.hasSuppressedVersions = true;
+  recordSuppressedVersion();
 
   const packageName = typeof json?.name === "string" ? json.name : "(unknown)";
 
@@ -182,22 +161,20 @@ function getMostRecentTag(tagList) {
 }
 
 /**
- * @returns {boolean}
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {string | undefined}
  */
-export function getHasSuppressedVersions() {
-  return state.hasSuppressedVersions;
-}
+export function getPackageNameFromMetadataResponse(body, headers) {
+  try {
+    const contentType = getHeaderValueAsString(headers, "content-type");
+    if (!contentType?.toLowerCase().includes("application/json")) {
+      return undefined;
+    }
 
-/**
- * Checks if a package name matches an exclusion pattern.
- * Supports trailing wildcard (*) for prefix matching.
- * @param {string} packageName
- * @param {string} pattern
- * @returns {boolean}
- */
-function matchesExclusionPattern(packageName, pattern) {
-  if (pattern.endsWith("/*")) {
-    return packageName.startsWith(pattern.slice(0, -1));
+    const bodyJson = JSON.parse(body.toString("utf8"));
+    return typeof bodyJson.name === "string" ? bodyJson.name : undefined;
+  } catch {
+    return undefined;
   }
-  return packageName === pattern;
 }

package/src/registryProxy/interceptors/npm/npmInterceptor.js

@@ -5,11 +5,16 @@ import {
 import { isMalwarePackage } from "../../../scanning/audit/index.js";
 import { interceptRequests } from "../interceptorBuilder.js";
 import {
+  getPackageNameFromMetadataResponse,
   isPackageInfoUrl,
   modifyNpmInfoRequestHeaders,
   modifyNpmInfoResponse,
 } from "./modifyNpmInfo.js";
 import { parseNpmPackageUrl } from "./parseNpmPackageUrl.js";
+import { openNewPackagesDatabase } from "../../../scanning/newPackagesListCache.js";
+import {
+  isExcludedFromMinimumPackageAge,
+} from "../minimumPackageAgeExclusions.js";
 
 const knownJsRegistries = [
   "registry.npmjs.org",
@@ -43,14 +48,54 @@ function buildNpmInterceptor(registry) {
       reqContext.targetUrl,
       registry
     );
+    const minimumAgeChecksEnabled = !skipMinimumPackageAge();
 
     if (await isMalwarePackage(packageName, version)) {
       reqContext.blockMalware(packageName, version);
+      return;
     }
 
-    if (!skipMinimumPackageAge() && isPackageInfoUrl(reqContext.targetUrl)) {
+    if (minimumAgeChecksEnabled && isPackageInfoUrl(reqContext.targetUrl)) {
       reqContext.modifyRequestHeaders(modifyNpmInfoRequestHeaders);
-      reqContext.modifyBody(modifyNpmInfoResponse);
+      reqContext.modifyBody(modifyNpmInfoResponseUnlessExcluded);
+      return;
+    }
+
+    // For tarball requests the metadata check above is skipped, so we check the
+    // new packages list as a fallback (covers e.g. frozen-lockfile installs).
+    if (
+      minimumAgeChecksEnabled &&
+      packageName &&
+      version &&
+      !isExcludedFromMinimumPackageAge(packageName)
+    ) {
+      const newPackagesDatabase = await openNewPackagesDatabase();
+
+      if (newPackagesDatabase.isNewlyReleasedPackage(packageName, version)) {
+        reqContext.blockMinimumAgeRequest(
+          packageName,
+          version,
+          `Forbidden - blocked by safe-chain direct download minimum package age (${packageName}@${version})`
+        );
+      }
     }
   });
 }
+
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {Buffer}
+ */
+function modifyNpmInfoResponseUnlessExcluded(body, headers) {
+  const metadataPackageName = getPackageNameFromMetadataResponse(body, headers);
+
+  if (
+    metadataPackageName &&
+    isExcludedFromMinimumPackageAge(metadataPackageName)
+  ) {
+    return body;
+  }
+
+  return modifyNpmInfoResponse(body, headers);
+}

package/src/registryProxy/interceptors/npm/parseNpmPackageUrl.js

@@ -5,12 +5,29 @@
  */
 export function parseNpmPackageUrl(url, registry) {
   let packageName, version;
-  if (!registry || !url.endsWith(".tgz")) {
+  let parsedUrl;
+
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    return { packageName, version };
+  }
+
+  const pathname = parsedUrl.pathname;
+
+  if (!registry || !pathname.endsWith(".tgz")) {
+    return { packageName, version };
+  }
+
+  const registryPrefix = `${registry}/`;
+  const urlAfterProtocol = `${parsedUrl.host}${pathname}`;
+  if (!urlAfterProtocol.startsWith(registryPrefix)) {
     return { packageName, version };
   }
 
-  const registryIndex = url.indexOf(registry);
-  const afterRegistry = url.substring(registryIndex + registry.length + 1); // +1 to skip the slash
+  const afterRegistry = decodeURIComponent(
+    urlAfterProtocol.substring(registryPrefix.length)
+  );
 
   const separatorIndex = afterRegistry.indexOf("/-/");
   if (separatorIndex === -1) {