From 984132f6ddcc40376039d553827f0907f67dab46 Mon Sep 17 00:00:00 2001
From: Zeke Gabrielse <ezekg@yahoo.com>
Date: Mon, 4 Nov 2024 11:27:39 -0600
Subject: [PATCH] update npm routing

---
 config/routes.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/routes.rb b/config/routes.rb
index c7ae5954b5..9a2cdfa3bd 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -95,9 +95,15 @@
     # see: https://github.com/npm/registry/blob/ae49abf1bac0ec1a3f3f1fceea1cca6fe2dc00e1/docs/responses/package-metadata.md
     scope module: :npm, constraints: MimeTypeConstraint.new(:json, :npm, raise_on_no_match: true), defaults: { format: :json } do
       get ':package', to: 'package_metadata#show', as: :npm_package_metadata, constraints: {
-        package: /.*/
+        # see: https://docs.npmjs.com/cli/v9/configuring-npm/package-json#name
+        package: %r{(?:@([a-z0-9][a-z0-9-]*[a-z0-9])/)?([a-z0-9][a-z0-9._-]*[a-z0-9])}
       }
     end
+
+    # ignore these npm requests entirely for now e.g. POST /-/npm/v1/security/advisories/bulk
+    scope module: :npm do
+      match '/-/npm/*wildcard', via: :all, to: -> env { [404, {}, []] }
+    end
   end
 
   concern :v1 do