diff --git a/CHANGELOG.md b/CHANGELOG.md
index cecf667..95b525b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
-Nothing notable at the moment.
+### Fixed
+- Installing nodepacks through the editor or via `xiblepm nodepack install` now works on Windows.
 
 ## [0.4.0] - 2017-04-30
 ### Added
diff --git a/app/Registry/index.js b/app/Registry/index.js
index e1f121d..7a5b802 100644
--- a/app/Registry/index.js
+++ b/app/Registry/index.js
@@ -48,7 +48,13 @@ module.exports = (XIBLE, EXPRESS_APP) => {
       }
 
       return this.getTarballUrl().then(tarballUrl => new Promise((resolve, reject) => {
-        // clean the dir
+        // check if the tarbalUrl is safe
+        if (encodeURI(tarballUrl) !== tarballUrl) {
+          reject(new Error('Package URL contains potentially unsafe characters'));
+          return;
+        }
+
+        // clean the tmp dir where we will download the npm package
         fsExtra.emptyDir(TMP_REGISTRY_DIR, (err) => {
           if (err) {
             reject(err);
@@ -68,10 +74,11 @@ module.exports = (XIBLE, EXPRESS_APP) => {
               return;
             }
 
-            // fork an npm to install the registry url
+            // fork npm to install the registry url
             const fork = require('child_process').spawn;
             const npm = fork('npm', ['install', tarballUrl], {
-              cwd: TMP_REGISTRY_DIR
+              cwd: TMP_REGISTRY_DIR,
+              shell: true
             });
 
             npm.on('error', npmErr => reject(npmErr));