fix: validate npm registry response in getNpmPackageVersion

angeloashmore · claude · angeloashmore · commit e66035112ba6 · 2026-04-15T21:39:30.000Z
Use `request` with a Zod schema to ensure the response is OK and
contains a valid version string. Previously, a failed fetch could
write a bad state file that blocked retries for 24 hours.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/lib/packageJson.ts b/src/lib/packageJson.ts
@@ -5,6 +5,7 @@ import { x } from "tinyexec";
 import { z } from "zod/mini";
 
 import { exists, findUpward, readJsonFile } from "./file";
+import { request } from "./request";
 
 const PackageJsonSchema = z.object({
 	dependencies: z.optional(z.record(z.string(), z.string())),
@@ -48,8 +49,9 @@ export async function addDependencies(dependencies: Record<string, string>): Pro
 
 export async function getNpmPackageVersion(name: string, tag = "latest"): Promise<string> {
 	const url = new URL(`${name}/${tag}`, "https://registry.npmjs.org/");
-	const res = await fetch(url);
-	const { version } = await res.json();
+	const { version } = await request(url, {
+		schema: z.object({ version: z.string() }),
+	});
 	return version;
 }
 
