Some cleanup

packages/safe-chain/src/registryProxy/interceptors/npm/modifyNpmInfo.js

@@ -1,4 +1,4 @@
-import { getMinimumPackageAgeHours, getNpmMinimumPackageAgeExclusions } from "../../../config/settings.js";
+import { getMinimumPackageAgeHours } from "../../../config/settings.js";
 import { ui } from "../../../environment/userInteraction.js";
 import { getHeaderValueAsString } from "../../http-utils.js";
 
@@ -65,16 +65,6 @@ export function modifyNpmInfoResponse(body, headers) {
       return body;
     }
 
-    // Check if this package is excluded from minimum age filtering
-    const packageName = bodyJson.name;
-    const exclusions = getNpmMinimumPackageAgeExclusions();
-    if (packageName && exclusions.some((pattern) => matchesExclusionPattern(packageName, pattern))) {
-      ui.writeVerbose(
-        `Safe-chain: ${packageName} is excluded from minimum package age filtering (minimumPackageAgeExclusions setting).`
-      );
-      return body;
-    }
-
     const cutOff = new Date(
       new Date().getTime() - getMinimumPackageAgeHours() * 3600 * 1000
     );

packages/safe-chain/src/registryProxy/interceptors/npm/npmInterceptor.js

@@ -46,27 +46,43 @@ function buildNpmInterceptor(registry) {
       reqContext.targetUrl,
       registry
     );
+    const minimumAgeChecksEnabled = !skipMinimumPackageAge();
+    const packageIsExcludedFromMinimumAgeChecks =
+      packageName && isExcludedFromMinimumPackageAge(packageName);
 
     if (await isMalwarePackage(packageName, version)) {
       reqContext.blockMalware(packageName, version);
       return;
     }
 
-    if (!skipMinimumPackageAge() && isPackageInfoUrl(reqContext.targetUrl)) {
+    if (minimumAgeChecksEnabled && isPackageInfoUrl(reqContext.targetUrl)) {
       reqContext.modifyRequestHeaders(modifyNpmInfoRequestHeaders);
-      reqContext.modifyBody(modifyNpmInfoResponse);
+      reqContext.modifyBody((body, headers) => {
+        const metadataPackageName = getPackageNameFromMetadataResponse(
+          body,
+          headers
+        );
+
+        if (
+          metadataPackageName &&
+          isExcludedFromMinimumPackageAge(metadataPackageName)
+        ) {
+          return body;
+        }
+
+        return modifyNpmInfoResponse(body, headers);
+      });
       return;
     }
 
     // For tarball requests the metadata check above is skipped, so we check the
     // new packages list as a fallback (covers e.g. frozen-lockfile installs).
-    if (!skipMinimumPackageAge() && packageName && version) {
+    if (
-      const exclusions = getNpmMinimumPackageAgeExclusions();
+      minimumAgeChecksEnabled &&
-      const isExcluded = exclusions.some((pattern) =>
+      packageName &&
-        matchesExclusionPattern(packageName, pattern)
+      version &&
-      );
+      !packageIsExcludedFromMinimumAgeChecks
-
+    ) {
-      if (!isExcluded) {
       const newPackagesDatabase = await openNewPackagesDatabase();
 
       if (newPackagesDatabase.isNewlyReleasedPackage(packageName, version)) {
@@ -77,6 +93,39 @@ function buildNpmInterceptor(registry) {
         );
       }
     }
-    }
   });
 }
+
+/**
+ * @param {string} packageName
+ * @returns {boolean}
+ */
+function isExcludedFromMinimumPackageAge(packageName) {
+  const exclusions = getNpmMinimumPackageAgeExclusions();
+  return exclusions.some((pattern) =>
+    matchesExclusionPattern(packageName, pattern)
+  );
+}
+
+/**
+ * @param {Buffer} body
+ * @param {NodeJS.Dict<string | string[]> | undefined} headers
+ * @returns {string | undefined}
+ */
+function getPackageNameFromMetadataResponse(body, headers) {
+  try {
+    const contentType = headers?.["content-type"];
+    const normalizedContentType = Array.isArray(contentType)
+      ? contentType.join(",")
+      : contentType;
+
+    if (!normalizedContentType?.toLowerCase().includes("application/json")) {
+      return undefined;
+    }
+
+    const bodyJson = JSON.parse(body.toString("utf8"));
+    return typeof bodyJson.name === "string" ? bodyJson.name : undefined;
+  } catch {
+    return undefined;
+  }
+}