fix: use consistent package parsing on social/likes

[BoxenOfDonuts]

Resolves #1119

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Error		Feb 7, 2026 11:11pm
npmx.dev	Ready	Preview, Comment	Feb 7, 2026 11:11pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
npmx-lunaria	Ignored		Feb 7, 2026 11:11pm

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
app/composables/usePackageComparison.ts	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement consistent package parsing across social/likes endpoints. On the client side, the social likes request now encodes the package name before transmission. On the server side, the endpoint was restructured to parse the router parameter into segments, validate the decoded package name against a schema using valibot, and handle validation failures with a 502 error response. The overall fetch structure and data assembly remain unchanged, with the modifications focused on input validation and encoding consistency.

Suggested reviewers

• danielroe

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description references issue #1119 and the summary confirms it addresses inconsistent package parsing between endpoints.
Linked Issues check	✅ Passed	The changes implement consistent package parsing using encodePackageName and schema-based validation with valibot, directly addressing the requirement in issue #1119 to align parsing logic between endpoints.
Out of Scope Changes check	✅ Passed	All changes are scoped to the social/likes endpoint, implementing consistent package parsing as specified in issue #1119 with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n server/api/social/likes/[...pkg].get.ts | head -50

Repository: npmx-dev/npmx.dev

Length of output: 1211

---

🏁 Script executed:

rg -n "decodeURIComponent\(" server/api -C 2

Repository: npmx-dev/npmx.dev

Length of output: 886

---

🏁 Script executed:

rg -n "createError\|handleApiError" server/api -l | head -10

Repository: npmx-dev/npmx.dev

Length of output: 43

---

🏁 Script executed:

rg -n "import.*createError\|import.*handleApiError" server/api

Repository: npmx-dev/npmx.dev

Length of output: 43

---

🏁 Script executed:

cat -n server/api/registry/vulnerabilities/[...pkg].get.ts | head -40

Repository: npmx-dev/npmx.dev

Length of output: 1826

---

🏁 Script executed:

rg -n "createError" server/ -t ts -t tsx | head -5

Repository: npmx-dev/npmx.dev

Length of output: 88

---

🏁 Script executed:

rg -n "createError\|handleApiError" server/api/social/likes/[...pkg].get.ts

Repository: npmx-dev/npmx.dev

Length of output: 43

---

🏁 Script executed:

rg -n "export.*handleApiError\|function handleApiError" server/

Repository: npmx-dev/npmx.dev

Length of output: 43

---

🏁 Script executed:

fd "utils" server/ -type d

Repository: npmx-dev/npmx.dev

Length of output: 231

---

🏁 Script executed:

fd "utils" server/ -type d | head -20

Repository: npmx-dev/npmx.dev

Length of output: 231

---

🏁 Script executed:

rg -n "handleApiError" server/ | head -10

Repository: npmx-dev/npmx.dev

Length of output: 909

---

🏁 Script executed:

rg -n "function handleApiError|const handleApiError" . | head -5

Repository: npmx-dev/npmx.dev

Length of output: 174

---

🏁 Script executed:

cat -n server/utils/error-handler.ts

Repository: npmx-dev/npmx.dev

Length of output: 1414

---

🏁 Script executed:

rg -n "createError" server/ | head -15

Repository: npmx-dev/npmx.dev

Length of output: 1532

---

🏁 Script executed:

rg -n "URIError" server/

Repository: npmx-dev/npmx.dev

Length of output: 43

---

🏁 Script executed:

rg -n "import.*createError" server/api/social/likes/[...pkg].get.ts

Repository: npmx-dev/npmx.dev

Length of output: 43

---

Catch URIError from malformed percent-encoding to return 400 instead of 502.

decodeURIComponent throws URIError when given invalid percent-encoding. The current implementation funnels this to handleApiError's generic fallback, which returns 502, misclassifying a client error as a server error. Wrap the call to catch URIError separately and return a 400 status.

This pattern repeats across multiple endpoints (e.g. server/api/registry/vulnerabilities/[...pkg].get.ts), so consider applying the fix consistently.

Suggested approach

Extract decodeURIComponent outside the v.parse call to isolate the error:

  try {
+    const decodedPackageName = decodeURIComponent(rawPackageName)
    const { packageName } = v.parse(PackageRouteParamsSchema, {
-      packageName: decodeURIComponent(rawPackageName),
+      packageName: decodedPackageName,
    })

    const likesUtil = new PackageLikesUtils()
    return await likesUtil.getLikes(packageName, oAuthSession?.did.toString())
  } catch (error: unknown) {
+    if (error instanceof URIError) {
+      throw createError({
+        status: 400,
+        message: 'invalid package name encoding',
+      })
+    }
     handleApiError(error, {
       statusCode: 502,
       message: 'Failed to get likes',
     })
   }

[github-actions]

Thanks for your first contribution, @BoxenOfDonuts! 💪

We'd love to welcome you to the npmx community. Come and say hi on Discord! And once you've joined, visit npmx.wamellow.com to claim the contributor role.