fix(github): allow @ in release tag validation

[risu729]

Problem

Registry-backed aqua tools such as biome use npm-style GitHub release tags defined in the aqua registry via version_prefix, e.g. @biomejs/biome@2.4.16. These tags are valid on GitHub and are what mise's aqua backend requests when installing a version.

Since jdx/mise#10341, mise routes GitHub release metadata for registry tools through mise-versions first. For biome this produces a spurious warning on every install:

mise WARN  mise-versions endpoint=github_release repo=biomejs/biome tag=@biomejs/biome@2.4.16 outcome=failed status=400 fallback=true error="HTTP status client error (400 Bad Request): Invalid GitHub release path"

The install still succeeds because mise falls back to the GitHub API directly, but the versions-host cache is never used and users see noisy warnings.

Root cause: validReleaseTag in web/src/lib/github/mirror.ts only allowed [A-Za-z0-9_.\/:+-]. The @ character is not in that set, so the API handler rejects the request with 400 before attempting to mirror the release.

The same issue affects other aqua packages with npm-style prefixes, including @moonrepo/cli@… and @yarnpkg/cli/….

Fix

Allow @ in validReleaseTag. Add unit tests covering biome-style tags and existing common tag formats.

Test plan

• aube run test:js (includes new scripts/github-mirror-validation.test.js)

Made with Cursor

Summary by CodeRabbit

• Bug Fixes

  • Release tag validation now supports @ character for scoped package names.

• Tests

  • Added comprehensive test suite for release tag validation, covering npm-style scoped packages, common GitHub release formats, and malformed input handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 75a4ff8e-8f1d-465f-83dd-81355c394a2f

📥 Commits

Reviewing files that changed from the base of the PR and between c460281 and aa8fcdb.

📒 Files selected for processing (2)

• scripts/github-mirror-validation.test.js
• web/src/lib/github/mirror.ts

---

📝 Walkthrough

Walkthrough

Expand GitHub release tag validation to support @ characters, enabling npm scoped package formats. The regex constraint in validReleaseTag is relaxed to permit @, and a new test suite validates the function across npm-scoped tags, standard GitHub release formats, and malformed inputs.

Changes

Release tag validation with @ support

Layer / File(s)	Summary
Validation regex update web/src/lib/github/mirror.ts	validReleaseTag regex is updated to allow @ character, enabling npm-style scoped package names in release tags.
Test suite for validReleaseTag scripts/github-mirror-validation.test.js	New Node test file spawns a child process to validate validReleaseTag accepts npm-scoped and GitHub release formats while rejecting empty, unsafe, and malformed inputs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through tags so bright,
With @ symbols gleaming in the night,
Scoped packages now dance and play,
While tests confirm each valid way. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly corresponds to the main change: allowing @ in GitHub release tag validation for npm-style scoped packages.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install timed out. The project may have too many dependencies for the sandbox.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes a 400 Bad Request error returned by the mise-versions GitHub release mirror when the release tag contains @, which is used by npm-style scoped aqua packages such as @biomejs/biome@2.4.16. The root cause was that validReleaseTag rejected the @ character, so the API handler rejected the request before any mirroring could occur.

• mirror.ts: Adds @ to the validReleaseTag allowlist regex ([A-Za-z0-9_.\/:@+-]+), enabling scoped npm-style tags to pass validation.
• github-mirror-validation.test.js: New test file with three test cases covering npm-style aqua tags, standard GitHub tags (v1.0.0, latest, release/2026), and rejection of empty/unsafe inputs.

Confidence Score: 5/5

Safe to merge — the change is a one-character regex addition with no effect on existing validated tags.

The diff is minimal: one character added to an allowlist regex and a new test file. The @ character carries no special meaning in URL path segments, so there is no path-traversal or injection risk introduced. All previously accepted tags still pass; the only new behaviour is accepting tags that begin with or contain @. Tests confirm the happy path and rejection of unsafe inputs.

No files require special attention.

Important Files Changed

Filename	Overview
web/src/lib/github/mirror.ts	One-character regex change: adds @ to the validReleaseTag allowlist to support npm-style scoped release tags like @biomejs/biome@2.4.16.
scripts/github-mirror-validation.test.js	New test file covering validReleaseTag for npm-style aqua tags, common GitHub tag formats, and rejection of empty/unsafe values.

_{Reviews (2): Last reviewed commit: "test(github): read validation script fro..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates GitHub mirror validation to accept npm-style scoped release tags (e.g., @scope/pkg@version) and adds tests to prevent regressions.

Changes:

• Allow @ in validReleaseTag validation regex.
• Add a Node-based test suite that validates accepted and rejected release tag patterns.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
web/src/lib/github/mirror.ts	Expands release-tag validation to support @-prefixed npm-style tags.
scripts/github-mirror-validation.test.js	Adds automated tests covering valid/invalid release tag inputs (including scoped npm tags).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.