fix: avoid redirecting /opensearch.xml to package route

[shuuji3]

fix #1545

• before: https://npmx.dev/opensearch.xml redirects to
• after: https://[preview-url]/opensearch.xml returns opensearch.xml

(The deploy error is unrelated to this change. See #1547 for details.)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Error		Feb 20, 2026 3:57am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 20, 2026 3:57am
npmx-lunaria	Ignored		Feb 20, 2026 3:57am

[coderabbitai]

📝 Walkthrough

Walkthrough

The change modifies the canonical redirects middleware by adding '/opensearch.xml' to the list of pages that bypass redirect logic. This ensures that requests to the opensearch.xml path are treated as a known page and not subject to further redirection. Previously, such requests were being incorrectly redirected to a non-existent path, resulting in 404 errors.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR adds '/opensearch.xml' to the canonical redirects list, preventing that path from being redirected to the package route, which directly addresses issue #1545's requirement.
Out of Scope Changes check	✅ Passed	The single change adding '/opensearch.xml' to the canonical redirects list is directly scoped to fixing issue #1545 with no extraneous modifications.
Description check	✅ Passed	The pull request description clearly references issue #1545 and accurately describes the fix: preventing /opensearch.xml from redirecting to the package route, allowing it to return the correct OpenSearch resource instead.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

server/middleware/canonical-redirects.global.ts (1)

15-30: LGTM — fix is correct.

Adding /opensearch.xml to the pages bypass list is the right approach. The root cause is that pkgMatch (/^\/(?:(?<org>@[^/]+)\/)?(?<name>[^/@]+)$/) matches the path because . is allowed in [^/@]+, yielding name = 'opensearch.xml' and an erroneous 301 to /package/opensearch.xml. The early-return guard at line 47 now correctly intercepts the path before pkgMatch is evaluated.

Optionally, for consistency with the rest of the list, consider placing /opensearch.xml in alphabetical order alongside its neighbours (after /about / /accessibility):

♻️ Optional reordering for readability

 const pages = [
   '/oauth-client-metadata.json',
   '/200.html',
-  '/opensearch.xml',
   '/about',
   '/accessibility',
   '/compare',
   '/org',
+  '/opensearch.xml',
   '/package',
   '/package-code',
   '/package-docs',
   '/privacy',
   '/search',
   '/settings',
   '/recharging',
 ]