fix: filter out security holding packages from algoria result

[shuuji3]

🔗 Linked issue

resolves #2002

🧭 Context

Algoria search returns packages already takendown by npm registory and marked as "Security holding package".

📚 Description

• Filter out packages where the package's version is 0.0.1-security AND its description is security holding package.

  • It seems that this is npm's hardcoded values though I couldn't find official docs that describe this.
  • It could be false positive but it's unlike someone uses these value combination.

• You can compare:

  • https://npmx.dev/search?q=download_ebook
  • https://npmxdev-git-shuuji3-fixfilter-out-security-holding-51982d-npmx.vercel.app/search?q=download_ebook

• Example returned value from algoria search API (from network tab):

{
	"results": [
		{
			"hits": [
				{
					"name": "dowload_ebok_grundkurs_kunstliche_intelligenz_by_wolfgang_ertel_r9sfy",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1758520468387,
					"owners": [],
					"objectID": "dowload_ebok_grundkurs_kunstliche_intelligenz_by_wolfgang_ertel_r9sfy"
				},
				{
					"name": "dowload_ebok_farouche_atalante_by_emilie_druilhe_nx2bj",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1725351874194,
					"owners": [],
					"objectID": "dowload_ebok_farouche_atalante_by_emilie_druilhe_nx2bj"
				},
				{
					"name": "dowload_ebok_everything_in_between_a_rocker_romance_by_melissa_toppen_fp7ge",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1725351869604,
					"owners": [],
					"objectID": "dowload_ebok_everything_in_between_a_rocker_romance_by_melissa_toppen_fp7ge"
				},
				{
					"name": "dowload_ebok_englens_spil_by_carlos_ruiz_zafon_iben_hasselbalch_lqvq8",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1745588033919,
					"owners": [],
					"objectID": "dowload_ebok_englens_spil_by_carlos_ruiz_zafon_iben_hasselbalch_lqvq8"
				},
				{
					"name": "dowload_ebok_before_dawn_vampire_fallen_book_1_by_morgan_rice_fjwc4",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1762128250838,
					"owners": [],
					"objectID": "dowload_ebok_before_dawn_vampire_fallen_book_1_by_morgan_rice_fjwc4"
				},
				{
					"name": "dowload_ebok_a_guerra_de_hitler_e_o_horror_do_holocausto_by_scott_s_f_meaker_k644u",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1762128244458,
					"owners": [],
					"objectID": "dowload_ebok_a_guerra_de_hitler_e_o_horror_do_holocausto_by_scott_s_f_meaker_k644u"
				},
				{
					"name": "dowload_ebok_a_bela_e_a_fera_by_elizabeth_rudnick_evan_spiliotopoulos_stephen_ch_9ooey",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1745588028183,
					"owners": [],
					"objectID": "dowload_ebok_a_bela_e_a_fera_by_elizabeth_rudnick_evan_spiliotopoulos_stephen_ch_9ooey"
				},
				{
					"name": "dowload_ebok_1917_une_passion_russe_by_max_gallo_d2xeh",
					"downloadsLast30Days": 0,
					"downloadsRatio": 0,
					"popular": false,
					"version": "0.0.1-security",
					"description": "security holding package",
					"repository": {
						"type": "git",
						"url": "npm/security-holder",
						"project": "security-holder",
						"user": "npm",
						"host": "github.com",
						"path": "",
						"branch": "master"
					},
					"deprecated": false,
					"isDeprecated": false,
					"homepage": null,
					"license": null,
					"keywords": [],
					"modified": 1758520462981,
					"owners": [],
					"objectID": "dowload_ebok_1917_une_passion_russe_by_max_gallo_d2xeh"
				}
			],
			"nbHits": 28,
			"offset": 20,
			"length": 8,
			"exhaustiveNbHits": false,
			"exhaustiveTypo": false,
			"exhaustive": {
				"nbHits": false,
				"typo": false
			},
			"query": "download_ebook",
			"params": "query=download_ebook&offset=20&length=8&analyticsTags=%5B%22npmx.dev%22%5D&attributesToRetrieve=%5B%22name%22%2C%22version%22%2C%22description%22%2C%22modified%22%2C%22homepage%22%2C%22repository%22%2C%22owners%22%2C%22downloadsLast30Days%22%2C%22downloadsRatio%22%2C%22popular%22%2C%22keywords%22%2C%22deprecated%22%2C%22isDeprecated%22%2C%22license%22%5D&attributesToHighlight=%5B%5D",
			"index": "npm-search",
			"processingTimeMS": 27,
			"processingTimingsMS": {
				"_request": {
					"roundTrip": 5
				},
				"fetch": {
					"query": 17,
					"scanning": 6,
					"total": 24
				},
				"getIdx": {
					"load": {
						"total": 1
					},
					"total": 1
				},
				"total": 27
			},
			"serverTimeMS": 28
		}
	]
}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Mar 13, 2026 6:21pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Mar 13, 2026 6:21pm
npmx-lunaria	Ignored		Mar 13, 2026 6:21pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[coderabbitai]

📝 Walkthrough

Walkthrough

A filter was added to the search page's visible results computation to exclude the exact security-holding package identified by repository URL npm/security-holder. This exclusion is applied before the platform-specific result filtering. The change updated the preceding comment to mention security holding packages and does not alter other logic or control flow.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	PR description clearly relates to filtering security holding packages from Algolia search results with context, implementation details, and examples.
Linked Issues check	✅ Passed	Changes address the primary objective from #2002 by filtering packages with repository.url = 'npm/security-holder' to prevent malicious/removed packages from appearing in search results.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objective: adding the NpmSearchRepository type definition and filtering security holding packages in search results.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch shuuji3/fix/filter-out-security-holding-packages

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can validate your CodeRabbit configuration file in your editor.

If your editor has YAML language server, you can enable auto-completion and validation by adding # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json at the top of your CodeRabbit configuration file.

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65f69d54-52bc-488d-b015-3fdff1716d6b

📥 Commits

Reviewing files that changed from the base of the PR and between 3712560 and e0d8779.

📒 Files selected for processing (1)

• app/pages/search.vue

[alexdln]

@shuuji3 Maybe it's better to check only repository.url !== "npm/security-holder"?

[shuuji3]

@alexdln Right, probably that's simpler and rubust. I thought repository information might not exist, but I now thing it's unlikely in this case.

[coderabbitai]

🧹 Nitpick comments (1)

shared/types/npm-registry.ts (1)

316-328: Consider making non-essential fields optional for robustness against API variations.

The NpmSearchRepository interface currently marks all fields as required, but these fields originate from the Algolia API where responses may be incomplete. Additionally, the fields project, user, host, path, and branch are not accessed anywhere in the codebase, suggesting they are either unused or conditionally present in API responses.

Making non-essential fields optional aligns with defensive coding practices for external API types and prevents potential type mismatches if Algolia returns partial repository data. The type: 'git' literal may also be overly restrictive should npm support additional VCS types in future.

♻️ Suggested change

 export interface NpmSearchRepository {
-  type: 'git'
+  type?: string
   url: string
-  project: string
-  user: string
-  host: string
-  path: string
-  branch: string
+  project?: string
+  user?: string
+  host?: string
+  path?: string
+  branch?: string
 }

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b673ac2a-7dfa-4a1e-99d0-9f28e7f33e93

📥 Commits

Reviewing files that changed from the base of the PR and between 78c7afb and 42555f9.

📒 Files selected for processing (2)

• app/pages/search.vue
• shared/types/npm-registry.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• app/pages/search.vue