Custom registry with path component causes path duplication in attestation URL

[ajayk]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When using a custom npm registry that includes a path component (e.g. https://example.com/javascript), the attestation verification URL incorrectly duplicates the path.

For example, with registry https://example.com/javascript, the constructed attestation URL becomes:

https://example.com/javascript/javascript/-/npm/v1/attestations/pkg@1.0.0

Expected Behavior

the attestation url should be

https://example.com/javascript/-/npm/v1/attestations/pkg@1.0.0

Steps To Reproduce

1. Configure npm to use a custom registry with a path component:
   npm config set registry https://example.com/javascript
2. Install a package that has attestations (e.g. a package published to the custom registry with sigstore attestations)
3. Run:
   npm audit signatures
4. Observe that the attestation fetch fails because the request URL has the path duplicated:
   Expected: https://example.com/javascript/-/npm/v1/attestations/pkg@1.0.0
   Actual: https://example.com/javascript/javascript/-/npm/v1/attestations/pkg@1.0.0

Note: This only affects registries with a path component in the URL. The default registry (https://registry.npmjs.org) is not affected since it has no path beyond /.

Environment

• npm:
• Node:
• OS:
• platform: