Fix percent-encoding gaps in npm_and_yarn and bun MetadataFinders

[Copilot]

PR #14638 removed the deprecated URI::DEFAULT_PARSER.escape from npm_and_yarn MetadataFinder's dependency_url, but left normalize_registry_url (called via configured_registry_from_credentials) without any space-encoding. Credentials with raw spaces in their registry URL — a supported, tested scenario — would produce invalid HTTP requests on the credentials path. The bun MetadataFinder also had the identical unencoded maintainer_changes bug that #14638 fixed for npm_and_yarn.

Changes

npm_and_yarn/lib/dependabot/npm_and_yarn/metadata_finder.rb

• normalize_registry_url now strips whitespace and encodes spaces as %20, matching RegistryFinder#prepare_registry_url:

  def normalize_registry_url(registry)
    return nil unless registry
    registry = registry.strip.gsub(/\s+/, "%20")
    return registry if registry.start_with?("http")
    "https://#{registry}"
  end

bun/lib/dependabot/bun/metadata_finder.rb

• Added require "cgi", CHARS_REQUIRING_ENCODING constant, and encode_npm_releaser private helper (identical to the npm_and_yarn fix)
• Updated maintainer_changes to use encode_npm_releaser for the URL portion; display text intentionally left unencoded
• Same normalize_registry_url space-encoding fix applied for consistency (forward-compatible with eventual URI::DEFAULT_PARSER.escape removal)

Tests & fixtures

• npm_and_yarn spec: new dependency_url test for a replaces-base credential with spaces in the registry URL
• bun spec: new maintainer_changes test asserting %20-encoded link when releaser name contains spaces
• bun/spec/fixtures/npm_responses/npm-package-json-lint.json copied from npm_and_yarn to back the new bun fixture test

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.launchpad.net
  • Triggering command: /usr/bin/add-apt-repository add-apt-repository -y ppa:git-core/ppa grep rity.crt -q la/emSign_Root_CA_-_G1.crt e u3_amd64.deb (dns block)
• ports.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/http /usr/lib/apt/methods/http (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Context

PR #14638 (chp/brokendownlinks-npm-yarn) correctly removes the deprecated URI::DEFAULT_PARSER.escape call from MetadataFinder#dependency_url and replaces the npm releaser encoding with a proper RFC 3986-compliant helper. However, during review we identified a regression gap:

Problem

The configured_registry_from_credentials method in npm_and_yarn/lib/dependabot/npm_and_yarn/metadata_finder.rb calls normalize_registry_url, which does not percent-encode spaces or other unsafe characters. Previously, URI::DEFAULT_PARSER.escape in dependency_url served as a safety net for this path.

The RegistryFinder class handles this correctly via prepare_registry_url which does url&.strip&.gsub(/\s+/, "%20"), but MetadataFinder has its own configured_registry_from_credentials that bypasses RegistryFinder entirely. This path is hit when new_source is nil (dependencies resolved from the default registry) and a replaces-base credential is configured.

Existing specs in registry_finder_spec.rb prove that credentials with spaces are a supported scenario:

context "with no rc and with credentials containing spaces" do
  let(:credentials) do
    [Dependabot::Credential.new(
      {
        "type" => "npm_registry",
        "registry" => "http://example.com/registry  with spaces",
        "replaces-base" => true
      }
    )]
  end
  it { is_expected.to eq("http://example.com/registry%20with%20spaces") }
end

Additionally, the bun ecosystem's metadata_finder.rb has the same unencoded maintainer_changes bug that PR #14638 fixes for npm_and_yarn, but was not addressed.

Required Changes

1. Fix normalize_registry_url in npm_and_yarn/lib/dependabot/npm_and_yarn/metadata_finder.rb

Update normalize_registry_url to also strip and encode spaces, matching the behavior of RegistryFinder#prepare_registry_url:

def normalize_registry_url(registry)
  return nil unless registry
  registry = registry.strip.gsub(/\s+/, "%20")
  return registry if registry.start_with?("http")
  "https://#{registry}"
end

2. Add a test case in npm_and_yarn/spec/dependabot/npm_and_yarn/metadata_finder_spec.rb

Add a test for the source_url (or dependency_url) path that exercises configured_registry_from_credentials with a credential containing spaces, verifying that the URL is properly encoded.

3. Apply the same encode_npm_releaser fix to bun/lib/dependabot/bun/metadata_finder.rb

The bun metadata finder at bun/lib/dependabot/bun/metadata_finder.rb has the identical bug in maintainer_changes (lines 30-38):

def maintainer_changes
  return unless npm_releaser
  return unless npm_listing.dig("time", dependency.version)
  return if previous_releasers&.include?(npm_releaser)

  "This version was pushed to npm by " \
    "[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new " \
    "releaser for #{dependency.name} since your current version."
end

Apply the same pattern used in the npm_and_yarn fix:

• Add require "cgi" at the top
• Add the CHARS_REQUIRING_ENCODING constant
• Add the encode_npm_releaser private helper method
• Update maintainer_changes to use encode_npm_releaser for the URL portion

4. Fix normalize_registry_url in bun/lib/dependabot/bun/metadata_finder.rb too

The bun metadata finder has the same normalize_registry_url that doesn't encode spaces. Apply the same fix as in npm_and_yarn.

5. Add test coverage for bun in bun/spec/dependabot/bun/metadata_finder_spec.rb

Add similar test cases for the bun ecosystem:

• Test that maintainer_changes properly encodes releaser names with spaces
• Test encode_npm_releaser private helper

6. Add the same npm response fixture for bun tests

Copy or reference the npm-package-json-lint.json fixture so bun tests can verify the maintainer encoding behavior.

Important Notes

• This PR should be based on the chp/brokendownlinks-npm-yarn branch (PR percent-encode npm releaser names in Maintainer changes section #14638's head branch)
• The bun metadata finder is largely a copy of the npm_and_yarn one, so the changes should mirror what PR percent-encode npm releaser names in Maintainer changes section #14638 already did
• Do NOT remove URI::DEFAULT_PARSER.escape from bun/lib/dependabot/bun/metadata_finder.rb's dependency_url — that should be a separate consideration. Only add the releaser encoding and the normalize_registry_url space-encoding fix.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Can you review the changes?

Assistant:

I'll load the PR review abilities and then gather the necessary context to review this pull request.

Assistant: Now let me check if CI is all green:

Assistant: Here's my review of PR #14638:

---

PR Summary

percent-encode npm releaser names in Maintainer changes section by @v-HaripriyaC

Fixes	#14595...

This pull request was created from Copilot chat.