feat: allow "npm:name@version" dependency redirections in manifest

Author: legobeat

package.json

@@ -32,6 +32,7 @@
     "execa": "^8.0.1",
     "pony-cause": "^2.1.9",
     "semver": "^7.5.4",
+    "validate-npm-package-name": "^5.0.0",
     "which": "^3.0.0",
     "yaml": "^2.2.2",
     "yargs": "^17.7.1"

src/package-manifest.test.ts

@@ -67,6 +67,7 @@ describe('package-manifest', () => {
             b: '^2.0.0',
             c: '~4.3.0',
             d: 'workspace:^',
+            e: 'npm:a@^2.0.0',
           },
         };
         const validated = {
@@ -79,6 +80,7 @@ describe('package-manifest', () => {
             b: '^2.0.0',
             c: '~4.3.0',
             d: 'workspace:^',
+            e: 'npm:a@^2.0.0',
           },
           peerDependencies: {},
         };

src/package-manifest.ts

@@ -4,6 +4,7 @@ import {
   ManifestDependencyFieldNames as PackageManifestDependenciesFieldNames,
 } from '@metamask/action-utils';
 import { isPlainObject } from '@metamask/utils';
+const validateNPMPackageName = require('validate-npm-package-name');
 import { readJsonObjectFile } from './fs.js';
 import { isTruthyString } from './misc-utils.js';
 import { semver, SemVer } from './semver.js';
@@ -144,8 +145,10 @@ function isValidPackageManifestVersionField(
 
 /**
  * Type guard to ensure that the provided version value is a valid dependency version
- * specifier for a package manifest. This function validates both semantic versioning
- * ranges and the special 'workspace:^' notation.
+ * specifier for a package manifest. This function validates:
+ * - semantic versioning ranges
+ * - 'workspace:^' notation
+ * - 'npm:{packageName}:{semverRange}' redirections
  *
  * @param version - The value to check.
  * @returns `true` if the version is a valid string that either
@@ -155,9 +158,23 @@ function isValidPackageManifestVersionField(
 function isValidPackageManifestDependencyValue(
   version: unknown,
 ): version is string {
-  return (
-    isValidPackageManifestVersionField(version) || version === 'workspace:^'
-  );
+  if (typeof version !== 'string') {
+    return false;
+  }
+  if (isValidPackageManifestVersionField(version) || version === 'workspace:^') {
+    return true;
+  }
+  const redirectedDependencyRegexp = /^npm:(.*)@(.*?)$/u;
+  try {
+    const redirectedDependencyMatch = redirectedDependencyRegexp.exec(version);
+    if (!redirectedDependencyMatch || redirectedDependencyMatch.length < 3) {
+      return false;
+    }
+    const [redirectedName, redirectedVersion] = redirectedDependencyMatch;
+    return validateNPMPackageName(redirectedName) && isValidPackageManifestVersionField(redirectedVersion);
+  } catch (e) {
+    return false;
+  }
 }
 
 /**

yarn.lock

@@ -2117,6 +2117,7 @@ __metadata:
     stdio-mock: ^1.2.0
     tsx: ^4.6.1
     typescript: ~5.1.6
+    validate-npm-package-name: ^5.0.0
     which: ^3.0.0
     yaml: ^2.2.2
     yargs: ^17.7.1