Skip to content

fix: update rules for image-proxy#1748

Open
alexdln wants to merge 16 commits intonpmx-dev:mainfrom
alexdln:fix/image-proxy-logic
Open

fix: update rules for image-proxy#1748
alexdln wants to merge 16 commits intonpmx-dev:mainfrom
alexdln:fix/image-proxy-logic

Conversation

@alexdln
Copy link
Member

@alexdln alexdln commented Feb 28, 2026

🔗 Linked issue

Resolves #1743

🧭 Context

Badges and images were not displayed in a large number of packages.

📚 Description

Passing queries to this API route wasn't allowed - added a setting to nuxt.config

Many popular badges weren't added to the list - added them.

SVG proxying was prohibited, but since we don't embed it in the DOM anywhere - allowed its use

@vercel
Copy link

vercel bot commented Feb 28, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
npmx.dev Ready Ready Preview, Comment Feb 28, 2026 3:16pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs.npmx.dev Ignored Ignored Preview Feb 28, 2026 3:16pm
npmx-lunaria Ignored Ignored Feb 28, 2026 3:16pm

Request Review

@codecov
Copy link

codecov bot commented Feb 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@alexdln alexdln changed the title chore: check signature validation fix: update rules for image-proxy Feb 28, 2026
@alexdln alexdln marked this pull request as ready for review February 28, 2026 15:11
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 28, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92c00b9 and 79a104c.

📒 Files selected for processing (1)
  • server/utils/image-proxy.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • server/utils/image-proxy.ts

📝 Walkthrough

Walkthrough

Adds an ISR route rule for /api/registry/image-proxy (expiration 3600s, passQuery: true, allowQuery: ['url','sig']), relaxes the proxy's content-type check to allow SVGs (rejects only non-image content-types), and expands the trusted image domains list to include additional GitHub hosts, CDNs and badge services.

Possibly related PRs

Suggested reviewers

  • danielroe
  • ghostdevv
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The pull request description accurately describes the three main changes: enabling query parameters via Nuxt config, adding popular badge providers to trusted domains, and allowing SVG proxying.
Linked Issues check ✅ Passed The changes address the primary objectives: trusted image domains are expanded to include badge providers mentioned in issue #1743 (badgesize.io, deepwiki.com, etc.), SVG handling is relaxed, and query parameter passing is enabled.
Out of Scope Changes check ✅ Passed All changes directly support the linked issue objectives. The Nuxt config modification, image domain additions, and SVG permission changes are all within scope and address the badge/image rendering problems described.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8199c1f and 92c00b9.

📒 Files selected for processing (3)
  • nuxt.config.ts
  • server/api/registry/image-proxy/index.get.ts
  • server/utils/image-proxy.ts

@alex-key
Copy link
Contributor

Great job, thank you, @alexdln ! What about scarf tracking pixel? I guess that many OSS projects are using this service?

https://about.scarf.sh/

@alex-key
Copy link
Contributor

I mean I am not sure that it would work through proxy if we do not whitelist it

@alexdln
Copy link
Member Author

alexdln commented Feb 28, 2026

image

npmjs disables them as well, so I don't think we need to worry about that 🤔

@alex-key
Copy link
Contributor

Okay. I do not have experience to evaluate if it's ethically correct to block other OSS project's analytics.
Maybe @patak-cat has expertise in this.

@alexdln
Copy link
Member Author

alexdln commented Feb 28, 2026

By opening direct requests, we're not only opening for a counter, but also directly transmitting the IP address and other info. If they're really only interested in the number, they'll get it. If they're interested in detailed user information, I don't think it's more ethical to let them do that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Policy on shields and other trusted images in README

2 participants