microsoft
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 1 deletion b/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/jsTyping/jsTyping.ts‎
Lines changed: 6 additions & 5 deletions b/‎src/jsTyping/jsTyping.ts‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎src/lib/es5.d.ts‎
Lines changed: 2 additions & 2 deletions b/‎src/lib/es5.d.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/testRunner/unittests/tsserver/codeFix.ts‎
Lines changed: 20 additions & 0 deletions b/‎src/testRunner/unittests/tsserver/codeFix.ts‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎src/testRunner/unittests/tsserver/typingsInstaller.ts‎
Lines changed: 12 additions & 11 deletions b/‎src/testRunner/unittests/tsserver/typingsInstaller.ts‎
Lines changed: 12 additions & 11 deletions
diff --git a/‎src/typingsInstallerCore/typingsInstaller.ts‎
Lines changed: 16 additions & 0 deletions b/‎src/typingsInstallerCore/typingsInstaller.ts‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎tests/baselines/reference/completionsStringMethods.baseline‎
Lines changed: 2 additions & 2 deletions b/‎tests/baselines/reference/completionsStringMethods.baseline‎
Lines changed: 2 additions & 2 deletions
@@ -1,9 +1,13 @@
-# Note
+# Notes on Contributing
 
 <!-- CODING AGENTS: READ AGENTS.md BEFORE WRITING CODE -->
 
 🚨 **Important** 🚨: All code changes should be submitted to the https://github.com/microsoft/typescript-go repo. Development in this codebase [is winding down](https://devblogs.microsoft.com/typescript/progress-on-typescript-7-december-2025/#typescript-6.0-is-the-last-javascript-based-release) and PRs will only be merged if they fix **critical** 6.0 issues (at minimum, any bug that existed in 5.9 is not critical unless it's a security issue).
 
+## Use of AI Assistance
+
+It is acceptable to use AI tools to assist in developing PRs. However, we ask that you disclose this in the PR description. If your PR appears AI-authored and you do not include this disclosure, your PR will be closed without review. Repeated violation of this will be considered disruptive conduct, which may result in being blocked from interaction with the organization.
+
 # Instructions for Logging Issues
 
 ## 1. Read the FAQ
 
@@ -327,7 +327,8 @@ export const enum NameValidationResult {
     NameTooLong,
     NameStartsWithDot,
     NameStartsWithUnderscore,
-    NameContainsNonURISafeCharacters,
+    NameContainsInvalidCharacters,
+    NameContainsNonURISafeCharacters = NameContainsInvalidCharacters, // for backward compatibility
 }
 
 const maxPackageNameLength = 214;
@@ -381,8 +382,8 @@ function validatePackageNameWorker(packageName: string, supportScopedPackage: bo
             return NameValidationResult.Ok;
         }
     }
-    if (encodeURIComponent(packageName) !== packageName) {
-        return NameValidationResult.NameContainsNonURISafeCharacters;
+    if (!/^[\w.-]+$/.test(packageName)) {
+        return NameValidationResult.NameContainsInvalidCharacters;
     }
     return NameValidationResult.Ok;
 }
@@ -405,8 +406,8 @@ function renderPackageNameValidationFailureWorker(typing: string, result: NameVa
             return `'${typing}':: ${kind} name '${name}' cannot start with '.'`;
         case NameValidationResult.NameStartsWithUnderscore:
             return `'${typing}':: ${kind} name '${name}' cannot start with '_'`;
-        case NameValidationResult.NameContainsNonURISafeCharacters:
-            return `'${typing}':: ${kind} name '${name}' contains non URI safe characters`;
+        case NameValidationResult.NameContainsInvalidCharacters:
+            return `'${typing}':: ${kind} name '${name}' contains invalid characters`;
         case NameValidationResult.Ok:
             return Debug.fail(); // Shouldn't have called this.
         default:
 
@@ -400,8 +400,8 @@ interface String {
     charAt(pos: number): string;
 
     /**
-     * Returns the Unicode value of the character at the specified location.
-     * @param index The zero-based index of the desired character. If there is no character at the specified index, NaN is returned.
+     * Returns the Unicode value of the character at the specified location, or NaN if the index is out of bounds.
+     * @param index The zero-based index of the desired character.
      */
     charCodeAt(index: number): number;
 
 
@@ -56,4 +56,24 @@ describe("unittests:: tsserver:: codeFix::", () => {
         });
         baselineTsserverLogs("codeFix", "install package when serialized", session);
     });
+
+    it("install package rejects invalid package names", () => {
+        const { host, session } = setup();
+        // A client could craft an applyCodeActionCommand with arbitrary package names.
+        // The server must validate and reject names with invalid characters to prevent shell injection.
+        for (const packageName of ["; echo 'hello' #", "react'test", "a/b/c"]) {
+            session.executeCommandSeq<ts.server.protocol.ApplyCodeActionCommandRequest>({
+                command: ts.server.protocol.CommandTypes.ApplyCodeActionCommand,
+                arguments: {
+                    command: {
+                        type: "install package",
+                        file: "/home/src/projects/project/src/file.ts",
+                        packageName,
+                    },
+                },
+            });
+        }
+        host.runPendingInstalls();
+        baselineTsserverLogs("codeFix", "install package rejects invalid package names", session);
+    });
 });
@@ -1524,10 +1524,11 @@ describe("unittests:: tsserver:: typingsInstaller:: Validate package name:", ()
     it("package name cannot start with underscore", () => {
         assert.equal(validatePackageName("_foo"), NameValidationResult.NameStartsWithUnderscore);
     });
-    it("package non URI safe characters are not supported", () => {
-        assert.equal(validatePackageName("  scope  "), NameValidationResult.NameContainsNonURISafeCharacters);
-        assert.equal(validatePackageName("; say ‘Hello from TypeScript!’ #"), NameValidationResult.NameContainsNonURISafeCharacters);
-        assert.equal(validatePackageName("a/b/c"), NameValidationResult.NameContainsNonURISafeCharacters);
+    it("package invalid characters are not supported", () => {
+        assert.equal(validatePackageName("  scope  "), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("; say ‘Hello from TypeScript!’ #"), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("a/b/c"), NameValidationResult.NameContainsInvalidCharacters);
+        assert.equal(validatePackageName("react'test"), NameValidationResult.NameContainsInvalidCharacters);
     });
     it("scoped package name is supported", () => {
         assert.equal(validatePackageName("@scope/bar"), NameValidationResult.Ok);
@@ -1540,20 +1541,20 @@ describe("unittests:: tsserver:: typingsInstaller:: Validate package name:", ()
         assert.deepEqual(validatePackageName("@_scope/bar"), { name: "_scope", isScopeName: true, result: NameValidationResult.NameStartsWithUnderscore });
         assert.deepEqual(validatePackageName("@_scope/_bar"), { name: "_scope", isScopeName: true, result: NameValidationResult.NameStartsWithUnderscore });
     });
-    it("scope name in scoped package name with non URI safe characters are not supported", () => {
-        assert.deepEqual(validatePackageName("@  scope  /bar"), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@; say ‘Hello from TypeScript!’ #/bar"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@  scope  /  bar  "), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsNonURISafeCharacters });
+    it("scope name in scoped package name with invalid characters are not supported", () => {
+        assert.deepEqual(validatePackageName("@  scope  /bar"), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@; say ‘Hello from TypeScript!’ #/bar"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@  scope  /  bar  "), { name: "  scope  ", isScopeName: true, result: NameValidationResult.NameContainsInvalidCharacters });
     });
     it("package name in scoped package name cannot start with dot", () => {
         assert.deepEqual(validatePackageName("@scope/.bar"), { name: ".bar", isScopeName: false, result: NameValidationResult.NameStartsWithDot });
     });
     it("package name in scoped package name cannot start with underscore", () => {
         assert.deepEqual(validatePackageName("@scope/_bar"), { name: "_bar", isScopeName: false, result: NameValidationResult.NameStartsWithUnderscore });
     });
-    it("package name in scoped package name with non URI safe characters are not supported", () => {
-        assert.deepEqual(validatePackageName("@scope/  bar  "), { name: "  bar  ", isScopeName: false, result: NameValidationResult.NameContainsNonURISafeCharacters });
-        assert.deepEqual(validatePackageName("@scope/; say ‘Hello from TypeScript!’ #"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: false, result: NameValidationResult.NameContainsNonURISafeCharacters });
+    it("package name in scoped package name with invalid characters are not supported", () => {
+        assert.deepEqual(validatePackageName("@scope/  bar  "), { name: "  bar  ", isScopeName: false, result: NameValidationResult.NameContainsInvalidCharacters });
+        assert.deepEqual(validatePackageName("@scope/; say ‘Hello from TypeScript!’ #"), { name: "; say ‘Hello from TypeScript!’ #", isScopeName: false, result: NameValidationResult.NameContainsInvalidCharacters });
     });
 });
 
 
@@ -239,6 +239,22 @@ export abstract class TypingsInstaller {
     /** @internal */
     installPackage(req: InstallPackageRequest): void {
         const { fileName, packageName, projectName, projectRootPath, id } = req;
+        const validationResult = JsTyping.validatePackageName(packageName);
+        if (validationResult !== JsTyping.NameValidationResult.Ok) {
+            const message = JsTyping.renderPackageNameValidationFailure(validationResult, packageName);
+            if (this.log.isEnabled()) {
+                this.log.writeLine(message);
+            }
+            const response: PackageInstalledResponse = {
+                kind: ActionPackageInstalled,
+                projectName,
+                id,
+                success: false,
+                message,
+            };
+            this.sendResponse(response);
+            return;
+        }
         const cwd = forEachAncestorDirectory(getDirectoryPath(fileName), directory => {
             if (this.installTypingHost.fileExists(combinePaths(directory, "package.json"))) {
                 return directory;
 
@@ -209,7 +209,7 @@
           ],
           "documentation": [
             {
-              "text": "Returns the Unicode value of the character at the specified location.",
+              "text": "Returns the Unicode value of the character at the specified location, or NaN if the index is out of bounds.",
               "kind": "text"
             }
           ],
@@ -226,7 +226,7 @@
                   "kind": "space"
                 },
                 {
-                  "text": "The zero-based index of the desired character. If there is no character at the specified index, NaN is returned.",
+                  "text": "The zero-based index of the desired character.",
                   "kind": "text"
                 }
               ]
Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,8 @@ export const enum NameValidationResult {`
`327`	`327`	`NameTooLong,`
`328`	`328`	`NameStartsWithDot,`
`329`	`329`	`NameStartsWithUnderscore,`
`330`		`- NameContainsNonURISafeCharacters,`
	`330`	`+ NameContainsInvalidCharacters,`
	`331`	`+ NameContainsNonURISafeCharacters = NameContainsInvalidCharacters, // for backward compatibility`
`331`	`332`	`}`
`332`	`333`
`333`	`334`	`const maxPackageNameLength = 214;`
`@@ -381,8 +382,8 @@ function validatePackageNameWorker(packageName: string, supportScopedPackage: bo`
`381`	`382`	`return NameValidationResult.Ok;`
`382`	`383`	`}`
`383`	`384`	`}`
`384`		`- if (encodeURIComponent(packageName) !== packageName) {`
`385`		`- return NameValidationResult.NameContainsNonURISafeCharacters;`
	`385`	`+ if (!/^[\w.-]+$/.test(packageName)) {`
	`386`	`+ return NameValidationResult.NameContainsInvalidCharacters;`
`386`	`387`	`}`
`387`	`388`	`return NameValidationResult.Ok;`
`388`	`389`	`}`
`@@ -405,8 +406,8 @@ function renderPackageNameValidationFailureWorker(typing: string, result: NameVa`
`405`	`406`	return `'${typing}':: ${kind} name '${name}' cannot start with '.'`;
`406`	`407`	`case NameValidationResult.NameStartsWithUnderscore:`
`407`	`408`	return `'${typing}':: ${kind} name '${name}' cannot start with '_'`;
`408`		`- case NameValidationResult.NameContainsNonURISafeCharacters:`
`409`		- return `'${typing}':: ${kind} name '${name}' contains non URI safe characters`;
	`409`	`+ case NameValidationResult.NameContainsInvalidCharacters:`
	`410`	+ return `'${typing}':: ${kind} name '${name}' contains invalid characters`;
`410`	`411`	`case NameValidationResult.Ok:`
`411`	`412`	`return Debug.fail(); // Shouldn't have called this.`
`412`	`413`	`default:`
Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@`
`209`	`209`	`],`
`210`	`210`	`"documentation": [`
`211`	`211`	`{`
`212`		`- "text": "Returns the Unicode value of the character at the specified location.",`
	`212`	`+ "text": "Returns the Unicode value of the character at the specified location, or NaN if the index is out of bounds.",`
`213`	`213`	`"kind": "text"`
`214`	`214`	`}`
`215`	`215`	`],`
`@@ -226,7 +226,7 @@`
`226`	`226`	`"kind": "space"`
`227`	`227`	`},`
`228`	`228`	`{`
`229`		`- "text": "The zero-based index of the desired character. If there is no character at the specified index, NaN is returned.",`
	`229`	`+ "text": "The zero-based index of the desired character.",`
`230`	`230`	`"kind": "text"`
`231`	`231`	`}`
`232`	`232`	`]`