From 11bd3a2b91487bd061373c2eeacacee5ce7ec008 Mon Sep 17 00:00:00 2001 From: Reinier Criel Date: Wed, 3 Dec 2025 09:54:25 -0800 Subject: [PATCH] Some more improvements --- .../src/registryProxy/interceptors/pipInterceptor.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js index d61fd51..8976bf5 100644 --- a/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js +++ b/packages/safe-chain/src/registryProxy/interceptors/pipInterceptor.js @@ -8,6 +8,9 @@ const knownPipRegistries = [ "pythonhosted.org", ]; +// Pattern for sdist extensions +const sdistExtWithMetadataRe = /\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i; + /** * @param {string} url * @returns {import("./interceptorBuilder.js").Interceptor | undefined} @@ -33,7 +36,8 @@ function buildPipInterceptor(registry) { registry ); - // Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names + // Normalize underscores to hyphens for DB matching, as PyPI allows underscores in distribution names. + // Per python, packages that differ only by hyphen vs underscore are considered the same. const hyphenName = packageName?.includes("_") ? packageName.replace(/_/g, "-") : packageName; const isMalicious = await isMalwarePackage(packageName, version) @@ -102,9 +106,9 @@ function parsePipPackageFromUrl(url, registry) { } // Source dist (sdist) and potential metadata sidecars (e.g., .tar.gz.metadata) - const sdistExtMatch = filename.match(/\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i); + const sdistExtMatch = filename.match(sdistExtWithMetadataRe); if (sdistExtMatch) { - const base = filename.replace(/\.(tar\.gz|zip|tar\.bz2|tar\.xz)(\.metadata)?$/i, ""); + const base = filename.replace(sdistExtWithMetadataRe, ""); const lastDash = base.lastIndexOf("-"); if (lastDash > 0 && lastDash < base.length - 1) { packageName = base.slice(0, lastDash);