fix(specs): accept npm's git+https/git+ssh repository URLs

The previous scheme class `[a-z]+` rejected `git+https://` and
`git+ssh://` — npm's canonical `repository.url` forms from
`npm pkg get` / `package.json`. Callers in
`src/packages/operations.ts` that pass `repository.url` to
`getRepoUrlDetails` silently lost user/project for those packages.

Broaden the class to `[a-z][a-z+]*` so schemes may include `+` after
the first letter. Still rejects github.com lookalikes
(`githubXcom`, `fake-github.com.attacker.tld`) and scp-style
`git@github.com:...` (which callers must normalize upstream).

Author: jdalton

src/packages/specs.ts

@@ -24,11 +24,15 @@ export function getRepoUrlDetails(repoUrl: string = ''): {
   // Anchor the host to exactly `github.com` (optionally preceded by
   // userinfo like `user@`). Escaping the `.` blocks lookalikes like
   // `githubXcom`; pinning the host to the full final label blocks
-  // `fake-github.com` or `github.com.attacker.tld` shenanigans. Callers
-  // passing scp-style git@github.com:… need to normalize upstream; we
-  // require `://` here so the host component is unambiguous.
+  // `fake-github.com` or `github.com.attacker.tld` shenanigans. The
+  // scheme class allows `+` so npm's canonical `git+https://…` and
+  // `git+ssh://…` forms from package.json `repository.url` match.
+  // Callers passing scp-style git@github.com:… need to normalize
+  // upstream; we require `://` here so the host is unambiguous.
   const match =
-    /^(?:[a-z]+:\/\/)(?:[^/@]+@)?github\.com\/([^?#]+)(?:[?#]|$)/i.exec(repoUrl)
+    /^(?:[a-z][a-z+]*:\/\/)(?:[^/@]+@)?github\.com\/([^?#]+)(?:[?#]|$)/i.exec(
+      repoUrl,
+    )
   if (!match || !match[1]) {
     return { user: '', project: '' }
   }

test/unit/packages/specs.test.mts

@@ -52,6 +52,18 @@ describe('packages/specs', () => {
       expect(result.project).toBe('berry')
     })
 
+    it('handles git+https:// and git+ssh:// URLs (npm repository.url forms)', () => {
+      // npm's `npm pkg get repository.url` canonicalizes to `git+https://`
+      // or `git+ssh://` prefixes. The scheme pattern accepts `+` so these
+      // match the same as plain `https://github.com/…`.
+      expect(
+        getRepoUrlDetails('git+https://github.com/npm/cli.git'),
+      ).toEqual({ user: 'npm', project: 'cli' })
+      expect(
+        getRepoUrlDetails('git+ssh://git@github.com/npm/cli.git'),
+      ).toEqual({ user: 'npm', project: 'cli' })
+    })
+
     it('returns empty strings for invalid URL', () => {
       // Previously the loose `/^.+github.com\//` replace left garbage in
       // user/project for non-GitHub or malformed inputs. Now returns a