From 5143b1a4a44a88eb0148a71d3282ac021f7a88ba Mon Sep 17 00:00:00 2001
From: BoxenOfDonuts <7082618+BoxenOfDonuts@users.noreply.github.com>
Date: Sat, 7 Feb 2026 17:00:41 -0600
Subject: [PATCH] fix: use consistent package parsing on social/likes

---
 app/composables/usePackageComparison.ts |  4 +++-
 server/api/social/likes/[...pkg].get.ts | 29 +++++++++++++++++++++----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/app/composables/usePackageComparison.ts b/app/composables/usePackageComparison.ts
index 95ce63e5c..aa03fbae3 100644
--- a/app/composables/usePackageComparison.ts
+++ b/app/composables/usePackageComparison.ts
@@ -142,7 +142,9 @@ export function usePackageComparison(packageNames: MaybeRefOrGetter<string[]>) {
               $fetch<VulnerabilityTreeResult>(
                 `/api/registry/vulnerabilities/${encodePackageName(name)}`,
               ).catch(() => null),
-              $fetch<PackageLikes>(`/api/social/likes/${name}`).catch(() => null),
+              $fetch<PackageLikes>(`/api/social/likes/${encodePackageName(name)}`).catch(
+                () => null,
+              ),
             ])
             const versionData = pkgData.versions[latestVersion]
             const packageSize = versionData?.dist?.unpackedSize
diff --git a/server/api/social/likes/[...pkg].get.ts b/server/api/social/likes/[...pkg].get.ts
index b0da21675..654d5c612 100644
--- a/server/api/social/likes/[...pkg].get.ts
+++ b/server/api/social/likes/[...pkg].get.ts
@@ -1,12 +1,33 @@
+import * as v from 'valibot'
+import { PackageRouteParamsSchema } from '#shared/schemas/package'
+
+/**
+ * GET /api/social/likes/:name
+ *
+ * Gets the likes for a npm package on npmx
+ */
 export default eventHandlerWithOAuthSession(async (event, oAuthSession, _) => {
-  const packageName = getRouterParam(event, 'pkg')
-  if (!packageName) {
+  const pkgParamSegments = getRouterParam(event, 'pkg')?.split('/') ?? []
+  const { rawPackageName } = parsePackageParams(pkgParamSegments)
+
+  if (!rawPackageName) {
     throw createError({
       status: 400,
       message: 'package name not provided',
     })
   }
 
-  const likesUtil = new PackageLikesUtils()
-  return await likesUtil.getLikes(packageName, oAuthSession?.did.toString())
+  try {
+    const { packageName } = v.parse(PackageRouteParamsSchema, {
+      packageName: decodeURIComponent(rawPackageName),
+    })
+
+    const likesUtil = new PackageLikesUtils()
+    return await likesUtil.getLikes(packageName, oAuthSession?.did.toString())
+  } catch (error: unknown) {
+    handleApiError(error, {
+      statusCode: 502,
+      message: 'Failed to get likes',
+    })
+  }
 })