Potential fix for code scanning alert no. 4: Incomplete string escaping or encoding

[jonathansantilli]

Potential fix for https://github.com/jonathansantilli/codegate/security/code-scanning/4

In general, to fix incomplete escaping when using String.prototype.replace, you should either (1) use a regular expression with the global (g) flag so that all occurrences are replaced, or (2) use an appropriate, well-tested encoder/escaping function (for URLs, encodeURIComponent or encodeURI as appropriate).

For this specific case, we want to correctly encode all / characters in npm scoped package locators that start with @. The current implementation:

const pkg = request.locator.startsWith("@")
  ? request.locator.replace("/", "%2f")
  : request.locator;

replaces only the first /. The minimal, behavior-preserving fix is to change .replace("/", "%2f") to .replace(/\//g, "%2f"), which escapes every / in the locator when it’s scoped. This retains the existing structure of the code, does not alter behavior for typical valid locators (which only contain one /), and correctly handles any additional slashes in edge cases. No new imports are needed; we only adjust the replace call in endpointFor in src/layer3-dynamic/resource-fetcher.ts around line 48–53.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.