Harden ATA package name filtering

[jakebailey]

This URI-based validation is what npm does internally, but we should be stricter about what we allow down to npm as we use child_process with the shell enabled to avoid reimplementing which. Instead, just only allow [\w.-]+.

This prevents the odd scenario where someone manages to query ATA on via a broken specifier. The old URI-based validation allowing something through would maximally cause the ATA request to fail and the feature to not work, nothing further.

[Copilot]

Pull request overview

Tightens the typings installer’s package-name validation to a strict allowlist before constructing npm install command strings (shell-enabled), and updates diagnostics + baselines accordingly.

Changes:

• Replace URI-encoding-based package name validation with an explicit ^[\w.-]+$ allowlist (plus existing leading ./_ checks and scoped-name splitting).
• Introduce NameContainsInvalidCharacters (with an enum alias to preserve the old NameContainsNonURISafeCharacters name) and update the rendered failure message.
• Update unit tests and tsserver baseline logs to match the new validation result/message.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/jsTyping/jsTyping.ts	Implements the new allowlist validation, adds/aliases enum member, updates rendered error text.
src/testRunner/unittests/tsserver/typingsInstaller.ts	Updates/extends validation tests to expect the new enum result.
tests/baselines/reference/tsserver/typingsInstaller/should-not-initialize-invaalid-package-names.js	Baseline update for new error message text.
tests/baselines/reference/tsserver/typingsInstaller/should-handle-node-core-modules.js	Baseline update for new error message text.
tests/baselines/reference/tsserver/typingsInstaller/malformed-packagejson.js	Baseline update for new error message text.