diff --git a/package-lock.json b/package-lock.json
index 827a93c29..790a00121 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,7 @@
         "aws-sdk": "^2.1637.0",
         "basic-auth": "^2.0.1",
         "body-parser": "^1.20.2",
-        "cloudron-manifestformat": "^5.23.0",
+        "cloudron-manifestformat": "^5.24.0",
         "connect": "^3.7.0",
         "connect-lastmile": "^2.2.0",
         "connect-timeout": "^1.9.0",
@@ -46,7 +46,7 @@
         "safetydance": "^2.4.0",
         "semver": "^7.6.2",
         "speakeasy": "^2.0.0",
-        "superagent": "^9.0.1",
+        "superagent": "9.0.1",
         "tar-fs": "github:cloudron-io/tar-fs#ignore_stat_error",
         "tldjs": "^2.3.1",
         "ua-parser-js": "^1.0.38",
@@ -1031,16 +1031,15 @@
       }
     },
     "node_modules/cloudron-manifestformat": {
-      "version": "5.23.0",
-      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.23.0.tgz",
-      "integrity": "sha512-HZECVY16wQO5IWdUzyxIUIMlVty3jGpsja2IRmywAM8G6NVVoGo35m1anWrwqAVj3n9e9QdU0PiWm6JiRRD1Ow==",
+      "version": "5.24.0",
+      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.24.0.tgz",
+      "integrity": "sha512-thmYEX9EFfpxnla/MQvo0GX9Hwr26LDbJKA9DVS1vIWP34M+LWza9PVhDaYii1sDKW4hH8C3hwFeqjrfWw8UBw==",
       "dependencies": {
         "cron": "^3.1.7",
-        "java-packagename-regex": "^1.0.0",
         "safetydance": "2.4.0",
-        "semver": "^7.6.0",
+        "semver": "^7.6.2",
         "tv4": "^1.3.0",
-        "validator": "^13.11.0"
+        "validator": "^13.12.0"
       }
     },
     "node_modules/co": {
@@ -3122,13 +3121,6 @@
         "node": ">=10"
       }
     },
-    "node_modules/java-packagename-regex": {
-      "version": "1.0.0",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
     "node_modules/jmespath": {
       "version": "0.16.0",
       "license": "Apache-2.0",
diff --git a/src/appstore.js b/src/appstore.js
index c355f72bb..185ee5556 100644
--- a/src/appstore.js
+++ b/src/appstore.js
@@ -40,6 +40,7 @@ const apps = require('./apps.js'),
     dashboard = require('./dashboard.js'),
     debug = require('debug')('box:appstore'),
     eventlog = require('./eventlog.js'),
+    manifestFormat = require('cloudron-manifestformat'),
     network = require('./network.js'),
     path = require('path'),
     paths = require('./paths.js'),
@@ -415,9 +416,11 @@ async function downloadManifest(appStoreId, manifest) {
 
     if (!appStoreId) return { appStoreId: '', manifest };
 
-    const parts = appStoreId.split('@');
+    const [id, version] = appStoreId.split('@');
+    if (!manifestFormat.isId(id)) throw new BoxError(BoxError.BAD_FIELD, 'appStoreId is not valid');
+    if (version && !semver.valid(version)) throw new BoxError(BoxError.BAD_FIELD, 'package version is not valid semver');
 
-    const url = await getApiServerOrigin() + '/api/v1/apps/' + parts[0] + (parts[1] ? '/versions/' + parts[1] : '');
+    const url = await getApiServerOrigin() + '/api/v1/apps/' + id + (version ? '/versions/' + version : '');
 
     debug(`downloading manifest from ${url}`);
 
@@ -429,7 +432,7 @@ async function downloadManifest(appStoreId, manifest) {
 
     if (!response.body.manifest || typeof response.body.manifest !== 'object') throw new BoxError(BoxError.NOT_FOUND, `Missing manifest. Failed to get app info from store. status: ${response.status} text: ${response.text}`);
 
-    return { appStoreId: parts[0], manifest: response.body.manifest };
+    return { appStoreId: id, manifest: response.body.manifest };
 }
 
 async function getApps() {