fix: arrows are allowed as the label value parameter

[btea]

🔗 Linked issue

🧭 Context

The value parameter can be passed as an arrow string, just like in the test cases.

📚 Description

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Jun 4, 2026 2:48pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Jun 4, 2026 2:48pm
npmx-lunaria	Ignored		Jun 4, 2026 2:48pm

[codecov]

❌ 1 Tests Failed:

Tests completed	Failed	Passed	Skipped
2753	1	2752	5

View the top 1 failed test(s) by shortest run time

badge.spec.ts::badge API › custom value parameter supports semver range operators

Stack Traces | 0.382s run time

expect(received).toContain(expected) // indexOf

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[gameroman]

I think this is intended

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Badge API now correctly accepts semver range operators (e.g., >=22.13.0) in custom values.
  • Improved input validation to permit comparison operators whilst rejecting problematic characters.

• Tests

  • Added end-to-end test coverage for badge API with semver range operators.

Walkthrough

The PR updates the badge endpoint's input validation to permit semver range operators (< and >) in the custom value parameter. The schema change rejects quotes and ampersands but now allows comparison operators. A new e2e test verifies the engines/nuxt endpoint correctly accepts and returns a custom value containing semver range syntax (e.g. >=22.13.0).

Changes

Badge schema and e2e validation

Layer / File(s)	Summary
Badge schema and e2e validation server/api/registry/badge/[type]/[...pkg].get.ts, test/e2e/badge.spec.ts	SafeStringSchema regex updated to allow semver range operator characters (< and >) in the badge value query parameter. New e2e test verifies the badge endpoint accepts and returns custom values containing semver range operators such as >=22.13.0.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: allowing arrow characters in the label value parameter by updating the validation regex.
Description check	✅ Passed	The description relates to the changeset by explaining that the value parameter should accept arrow strings, though it lacks detail about the validation regex update.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

server/api/registry/badge/[type]/[...pkg].get.ts (1)

17-17: ⚡ Quick win

Consider blocking single quotes for consistency.

The regex /^[^"&]*$/ blocks double quotes but permits single quotes. If the goal is to prevent injection attacks, single quotes should also be rejected since they can be used similarly to double quotes in many contexts.

🛡️ Proposed fix to block both quote types

-const SafeStringSchema = v.pipe(v.string(), v.regex(/^[^"&]*$/, 'Invalid characters'))
+const SafeStringSchema = v.pipe(v.string(), v.regex(/^[^"'&]*$/, 'Invalid characters'))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/api/registry/badge/`[type]/[...pkg].get.ts at line 17, The current
input validation uses the regex `/^[^"&]*$/` which blocks double quotes but
allows single quotes; update the validation to reject both single and double
quotes by replacing that pattern with one that excludes both quote characters
(e.g., a pattern that disallows ' and "), and apply this change where the regex
`/^[^"&]*$/` is used in server/api/registry/badge/[type]/[...pkg].get.ts so
inputs cannot contain either quote type.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/api/registry/badge/`[type]/[...pkg].get.ts:
- Around line 16-17: SafeStringSchema currently allows < and > (and allows
single quotes) which can enable XSS/SVG injection when the validated value is
embedded into the badge SVG/HTML; update the validation and/or output encoding:
tighten SafeStringSchema to reject characters that can break XML/HTML contexts
(for example ensure it disallows <, >, &, " and '), or replace the regex with a
conservative whitelist (alphanumeric, dash, underscore, space, max length) and
then always XML-escape/HTML-encode the value before inserting into the SVG
template in the handler that renders the badge (refer to SafeStringSchema and
the badge rendering path that consumes its value). Ensure the sanitizer and the
final output encoding are both in place rather than relying on one or the other.

---

Nitpick comments:
In `@server/api/registry/badge/`[type]/[...pkg].get.ts:
- Line 17: The current input validation uses the regex `/^[^"&]*$/` which blocks
double quotes but allows single quotes; update the validation to reject both
single and double quotes by replacing that pattern with one that excludes both
quote characters (e.g., a pattern that disallows ' and "), and apply this change
where the regex `/^[^"&]*$/` is used in
server/api/registry/badge/[type]/[...pkg].get.ts so inputs cannot contain either
quote type.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 82d27521-bafa-4c59-83ac-fc1b9bf3dd5c

📥 Commits

Reviewing files that changed from the base of the PR and between 01c5100 and 78fc607.

📒 Files selected for processing (2)

• server/api/registry/badge/[type]/[...pkg].get.ts
• test/e2e/badge.spec.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

❓ Verification inconclusive

🏁 Script executed:

#!/bin/bash
# Description: Check how the value parameter from SafeStringSchema is used downstream

# Find where SafeStringSchema validation is applied and trace the value usage
rg -n -A 10 "SafeStringSchema" --type=ts

# Look for SVG rendering or badge generation that uses the value parameter
rg -n -B 3 -A 5 "value.*badge|badge.*value" --type=ts -g 'server/api/registry/badge/**'

# Check for any escaping functions or sanitization
rg -n "escape|sanitize|encode" --type=ts -g 'server/api/registry/badge/**'

Repository: npmx-dev/npmx.dev

Length of output: 1912

---

Review SafeStringSchema badge value sanitisation for XSS/SVG injection
The updated regex in server/api/registry/badge/[type]/[...pkg].get.ts permits < and > while only rejecting " and &. If the validated value is embedded into the badge’s SVG/HTML without strict escaping/encoding, this can enable XSS. Also the pattern is inconsistent in that it blocks double quotes but not single quotes—either block ' too or document why it’s safe.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/api/registry/badge/`[type]/[...pkg].get.ts around lines 16 - 17,
SafeStringSchema currently allows < and > (and allows single quotes) which can
enable XSS/SVG injection when the validated value is embedded into the badge
SVG/HTML; update the validation and/or output encoding: tighten SafeStringSchema
to reject characters that can break XML/HTML contexts (for example ensure it
disallows <, >, &, " and '), or replace the regex with a conservative whitelist
(alphanumeric, dash, underscore, space, max length) and then always
XML-escape/HTML-encode the value before inserting into the SVG template in the
handler that renders the badge (refer to SafeStringSchema and the badge
rendering path that consumes its value). Ensure the sanitizer and the final
output encoding are both in place rather than relying on one or the other.

[alexdln]

Maybe you can replace it to unicode or html-entities? (I'm not sure it will work, but it's worth a try)

[btea]

This seems like a good idea; let's keep the status quo.