fix: add /package/* path support for markdown rewrites + escape user-supplied maintainer fields

BYK · BYK · commit 72af33027c1e · 2026-03-06T17:57:59.000Z
- Add vercel.json rewrites for /package/:path to strip prefix and serve markdown
- Escape maintainer name with escapeMarkdown() since it's user-supplied
- URL-encode maintainer username in link hrefs for safety
diff --git a/server/utils/markdown.ts b/server/utils/markdown.ts
@@ -257,12 +257,13 @@ export function generatePackageMarkdown(options: PackageMarkdownOptions): string
     lines.push('')
     for (const maintainer of pkg.maintainers.slice(0, 10)) {
       // npm API returns username but `@npm/types` `Contact` doesn't include it
+      // maintainers is user-supplied so we escape both name and username
       const username = (maintainer as { username?: string }).username
-      const name = maintainer.name || username || 'Unknown'
+      const safeName = escapeMarkdown(maintainer.name || username || 'Unknown')
       if (username) {
-        lines.push(`- [${name}](https://npmx.dev/~${username})`)
+        lines.push(`- [${safeName}](https://npmx.dev/~${encodeURIComponent(username)})`)
       } else {
-        lines.push(`- ${name}`)
+        lines.push(`- ${safeName}`)
       }
     }
     lines.push('')
diff --git a/vercel.json b/vercel.json
@@ -2,14 +2,48 @@
   "$schema": "https://openapi.vercel.sh/vercel.json",
   "trailingSlash": false,
   "rewrites": [
+    {
+      "source": "/package/:path(.*)",
+      "has": [
+        {
+          "type": "header",
+          "key": "accept",
+          "value": "(.*?)text/markdown(.*)"
+        }
+      ],
+      "destination": "/raw/:path.md"
+    },
+    {
+      "source": "/package/:path(.*)",
+      "has": [
+        {
+          "type": "header",
+          "key": "user-agent",
+          "value": "curl/.*"
+        }
+      ],
+      "destination": "/raw/:path.md"
+    },
     {
       "source": "/:path((?!api|_nuxt|_v|__nuxt|search|code|raw/).*)",
-      "has": [{ "type": "header", "key": "accept", "value": "(.*?)text/markdown(.*)" }],
+      "has": [
+        {
+          "type": "header",
+          "key": "accept",
+          "value": "(.*?)text/markdown(.*)"
+        }
+      ],
       "destination": "/raw/:path.md"
     },
     {
       "source": "/:path((?!api|_nuxt|_v|__nuxt|search|code|raw/).*)",
-      "has": [{ "type": "header", "key": "user-agent", "value": "curl/.*" }],
+      "has": [
+        {
+          "type": "header",
+          "key": "user-agent",
+          "value": "curl/.*"
+        }
+      ],
       "destination": "/raw/:path.md"
     }
   ],
