From db974ceac7d9c92141e6a47e8902d8a0adbcf384 Mon Sep 17 00:00:00 2001
From: Adebesin Tolulope <adebesintolulope80@gmail.com>
Date: Wed, 20 May 2026 13:40:49 +0100
Subject: [PATCH 1/3] fix(ui): skip README badge markdown in package card
 summaries

Closes #2767. npm's search API sometimes returns the README's leading
badge markdown as the package description (e.g. @nuxtjs/opencollective).
Extends the markdown stripper to handle reference-style image badges and
collapses the side-column metadata into a single flex-wrap row so the
card layout stays consistent when the description ends up empty. Also
drops the duplicated mobile downloads row.
---
 app/components/Package/Card.vue            | 118 ++++++++-------------
 app/composables/useMarkdown.ts             |  26 +++--
 i18n/locales/en.json                       |   1 +
 test/nuxt/composables/use-markdown.spec.ts |  28 +++++
 4 files changed, 91 insertions(+), 82 deletions(-)

diff --git a/app/components/Package/Card.vue b/app/components/Package/Card.vue
index f7b06fb26a..a795632a9b 100644
--- a/app/components/Package/Card.vue
+++ b/app/components/Package/Card.vue
@@ -74,85 +74,55 @@ const numberFormatter = useNumberFormatter()
       />
     </header>
 
-    <div class="flex flex-col sm:flex-row sm:justify-start sm:items-start gap-6 sm:gap-8">
-      <div class="min-w-0 w-full">
-        <p v-if="pkgDescription" class="text-fg-muted text-xs sm:text-sm line-clamp-2 mb-2 sm:mb-3">
-          <span v-html="pkgDescription" />
-        </p>
-        <div class="flex flex-wrap items-center gap-x-3 sm:gap-x-4 gap-y-2 text-xs text-fg-muted">
-          <dl v-if="showPublisher || result.package.date" class="flex items-center gap-4 m-0">
-            <div
-              v-if="showPublisher && result.package.publisher?.username"
-              class="flex items-center gap-1.5"
-            >
-              <dt class="sr-only">{{ $t('package.card.publisher') }}</dt>
-              <dd class="font-mono">{{ result.package.publisher.username }}</dd>
-            </div>
-            <div v-if="result.package.date" class="flex items-center gap-1.5">
-              <dt class="sr-only">{{ $t('package.card.published') }}</dt>
-              <dd>
-                <DateTime
-                  :datetime="result.package.date"
-                  year="numeric"
-                  month="short"
-                  day="numeric"
-                />
-              </dd>
-            </div>
-            <div v-if="result.package.license" class="flex items-center gap-1.5">
-              <dt class="sr-only">{{ $t('package.card.license') }}</dt>
-              <dd>{{ result.package.license }}</dd>
-            </div>
-          </dl>
-        </div>
-        <!-- Mobile: downloads on separate row -->
-        <dl
-          v-if="result.downloads?.weekly"
-          class="sm:hidden flex items-center gap-4 mt-2 text-xs text-fg-muted m-0"
-        >
-          <div class="flex items-center gap-1.5">
-            <dt class="sr-only">{{ $t('package.card.weekly_downloads') }}</dt>
-            <dd class="flex items-center gap-1.5">
-              <span class="i-lucide:chart-line w-3.5 h-3.5" aria-hidden="true" />
-              <span class="font-mono">{{ $n(result.downloads.weekly) }}/w</span>
-            </dd>
-          </div>
-        </dl>
+    <p v-if="pkgDescription" class="text-fg-muted text-xs sm:text-sm line-clamp-2 mb-2 sm:mb-3">
+      <span v-html="pkgDescription" />
+    </p>
+    <dl class="flex flex-wrap items-center gap-x-3 sm:gap-x-4 gap-y-2 text-xs text-fg-muted m-0">
+      <div v-if="result.package.version" class="flex items-center gap-1.5 min-w-0">
+        <dt class="sr-only">{{ $t('package.card.version') }}</dt>
+        <dd class="font-mono truncate max-w-32" :title="result.package.version">
+          v{{ result.package.version }}
+        </dd>
       </div>
-
-      <div class="flex flex-col gap-2 shrink-0">
-        <div class="text-fg-subtle flex items-start gap-2 sm:justify-end">
-          <span
-            v-if="result.package.version"
-            class="font-mono text-xs truncate max-w-32"
-            :title="result.package.version"
-          >
-            v{{ result.package.version }}
-          </span>
-          <div
-            v-if="result.package.publisher?.trustedPublisher"
-            class="flex items-center gap-1.5 shrink-0 max-w-32"
-          >
-            <ProvenanceBadge
-              :provider="result.package.publisher.trustedPublisher.id"
-              :package-name="result.package.name"
-              :version="result.package.version"
-              :linked="false"
-              compact
-            />
-          </div>
-        </div>
-        <div
-          v-if="result.downloads?.weekly"
-          class="text-fg-subtle gap-2 flex items-center sm:justify-end"
-        >
+      <div
+        v-if="result.package.publisher?.trustedPublisher"
+        class="flex items-center gap-1.5 shrink-0"
+      >
+        <ProvenanceBadge
+          :provider="result.package.publisher.trustedPublisher.id"
+          :package-name="result.package.name"
+          :version="result.package.version"
+          :linked="false"
+          compact
+        />
+      </div>
+      <div
+        v-if="showPublisher && result.package.publisher?.username"
+        class="flex items-center gap-1.5"
+      >
+        <dt class="sr-only">{{ $t('package.card.publisher') }}</dt>
+        <dd class="font-mono">{{ result.package.publisher.username }}</dd>
+      </div>
+      <div v-if="result.package.date" class="flex items-center gap-1.5">
+        <dt class="sr-only">{{ $t('package.card.published') }}</dt>
+        <dd>
+          <DateTime :datetime="result.package.date" year="numeric" month="short" day="numeric" />
+        </dd>
+      </div>
+      <div v-if="result.package.license" class="flex items-center gap-1.5">
+        <dt class="sr-only">{{ $t('package.card.license') }}</dt>
+        <dd>{{ result.package.license }}</dd>
+      </div>
+      <div v-if="result.downloads?.weekly" class="flex items-center gap-1.5 sm:ms-auto">
+        <dt class="sr-only">{{ $t('package.card.weekly_downloads') }}</dt>
+        <dd class="flex items-center gap-1.5">
           <span class="i-lucide:chart-line w-3.5 h-3.5" aria-hidden="true" />
-          <span class="font-mono text-xs">
+          <span class="font-mono">
             {{ $n(result.downloads.weekly) }} {{ $t('common.per_week') }}
           </span>
-        </div>
+        </dd>
       </div>
-    </div>
+    </dl>
 
     <ul
       role="list"
diff --git a/app/composables/useMarkdown.ts b/app/composables/useMarkdown.ts
index 97355ecf59..4c3372e9a6 100644
--- a/app/composables/useMarkdown.ts
+++ b/app/composables/useMarkdown.ts
@@ -10,15 +10,25 @@ export function useMarkdown(options: MaybeRefOrGetter<UseMarkdownOptions>) {
   return computed(() => parseMarkdown(toValue(options)))
 }
 
-// Strip markdown image badges from text
+// Single alternation matches any of:
+//  - image atom: ![alt](url) OR ![alt][ref]
+//  - empty link wrapper left behind after image removal: [](url) / [][ref]
+//  - reference link definition line: [ref]: url "optional title"
+// Bounded quantifiers ({0,N}) guard against ReDoS. Compiled once at module
+// scope so reactive callers don't pay re-instantiation cost on every render.
+const STRIPPABLE_MARKDOWN =
+  /!\[[^\]]{0,500}\](?:\([^)]{0,2000}\)|\[[^\]]{0,500}\])|\[\s*\](?:\([^)]{0,2000}\)?|\[[^\]]{0,500}\])|^[ \t]*\[[^\]]{1,500}\]:[ \t]+\S{1,2000}(?:[ \t]+["'(].*?["')])?[ \t]*$/gm
+
+// Strip markdown image badges from text.
+// Each pass removes image atoms, empty link wrappers, and reference defs in a
+// single scan. Re-run to a fixed point so nested shapes like
+// `[![…][ref]][ref]` collapse without per-shape rules.
 function stripMarkdownImages(text: string): string {
-  // Remove linked images: [![alt](image-url)](link-url) - handles incomplete URLs too
-  // Using {0,500} instead of * to prevent ReDoS on pathological inputs
-  text = text.replace(/\[!\[[^\]]{0,500}\]\([^)]{0,2000}\)\]\([^)]{0,2000}\)?/g, '')
-  // Remove standalone images: ![alt](url)
-  text = text.replace(/!\[[^\]]{0,500}\]\([^)]{0,2000}\)/g, '')
-  // Remove any leftover empty links or broken markdown link syntax
-  text = text.replace(/\[\]\([^)]{0,2000}\)?/g, '')
+  let previous: string
+  do {
+    previous = text
+    text = text.replace(STRIPPABLE_MARKDOWN, '')
+  } while (text !== previous)
   return text.trim()
 }
 
diff --git a/i18n/locales/en.json b/i18n/locales/en.json
index 7e119affa7..2805bc7109 100644
--- a/i18n/locales/en.json
+++ b/i18n/locales/en.json
@@ -532,6 +532,7 @@
       "weekly_downloads": "Weekly downloads",
       "keywords": "Keywords",
       "license": "License",
+      "version": "Version",
       "select": "Select package",
       "select_maximum": "Maximum {count} packages can be selected"
     },
diff --git a/test/nuxt/composables/use-markdown.spec.ts b/test/nuxt/composables/use-markdown.spec.ts
index 7aa258e0df..2002a5ad30 100644
--- a/test/nuxt/composables/use-markdown.spec.ts
+++ b/test/nuxt/composables/use-markdown.spec.ts
@@ -188,6 +188,34 @@ describe('useMarkdown', () => {
       expect(processed.value).toBe('A library')
     })
 
+    it('strips reference-style linked image badges (regression #2767)', () => {
+      const processed = useMarkdown({
+        text: '[![npm version][npm-v-src]][npm-v-href] [![npm downloads][npm-d-src]][npm-d-href] A library',
+      })
+      expect(processed.value).toBe('A library')
+    })
+
+    it('returns empty when description is only reference-style badges (regression #2767)', () => {
+      const processed = useMarkdown({
+        text: '[![npm version][npm-v-src]][npm-v-href] [![npm downloads][npm-d-src]][npm-d-href]',
+      })
+      expect(processed.value).toBe('')
+    })
+
+    it('strips standalone reference-style images', () => {
+      const processed = useMarkdown({
+        text: '![badge][badge-ref] A library',
+      })
+      expect(processed.value).toBe('A library')
+    })
+
+    it('strips reference link definitions', () => {
+      const processed = useMarkdown({
+        text: 'A library\n\n[npm-v-src]: https://img.shields.io/npm/v/foo.svg\n[npm-v-href]: https://npm.im/foo',
+      })
+      expect(processed.value).toBe('A library')
+    })
+
     it('preserves regular markdown links', () => {
       const processed = useMarkdown({ text: '[documentation](https://docs.example.com) is here' })
       expect(processed.value).toBe(

From 070d5ad79f7ee9607a96e0891c225fbeca0fa827 Mon Sep 17 00:00:00 2001
From: Adebesin Tolulope <adebesintolulope80@gmail.com>
Date: Thu, 21 May 2026 22:06:00 +0100
Subject: [PATCH 2/3] fix(ui): move ProvenanceBadge out of dl to satisfy a11y,
 regenerate i18n schema

---
 app/components/Package/Card.vue | 88 ++++++++++++++++-----------------
 i18n/schema.json                |  3 ++
 2 files changed, 46 insertions(+), 45 deletions(-)

diff --git a/app/components/Package/Card.vue b/app/components/Package/Card.vue
index a795632a9b..b2c9b059da 100644
--- a/app/components/Package/Card.vue
+++ b/app/components/Package/Card.vue
@@ -77,52 +77,50 @@ const numberFormatter = useNumberFormatter()
     <p v-if="pkgDescription" class="text-fg-muted text-xs sm:text-sm line-clamp-2 mb-2 sm:mb-3">
       <span v-html="pkgDescription" />
     </p>
-    <dl class="flex flex-wrap items-center gap-x-3 sm:gap-x-4 gap-y-2 text-xs text-fg-muted m-0">
-      <div v-if="result.package.version" class="flex items-center gap-1.5 min-w-0">
-        <dt class="sr-only">{{ $t('package.card.version') }}</dt>
-        <dd class="font-mono truncate max-w-32" :title="result.package.version">
-          v{{ result.package.version }}
-        </dd>
-      </div>
-      <div
+    <div class="flex flex-wrap items-center gap-x-3 sm:gap-x-4 gap-y-2 text-xs text-fg-muted">
+      <ProvenanceBadge
         v-if="result.package.publisher?.trustedPublisher"
-        class="flex items-center gap-1.5 shrink-0"
-      >
-        <ProvenanceBadge
-          :provider="result.package.publisher.trustedPublisher.id"
-          :package-name="result.package.name"
-          :version="result.package.version"
-          :linked="false"
-          compact
-        />
-      </div>
-      <div
-        v-if="showPublisher && result.package.publisher?.username"
-        class="flex items-center gap-1.5"
-      >
-        <dt class="sr-only">{{ $t('package.card.publisher') }}</dt>
-        <dd class="font-mono">{{ result.package.publisher.username }}</dd>
-      </div>
-      <div v-if="result.package.date" class="flex items-center gap-1.5">
-        <dt class="sr-only">{{ $t('package.card.published') }}</dt>
-        <dd>
-          <DateTime :datetime="result.package.date" year="numeric" month="short" day="numeric" />
-        </dd>
-      </div>
-      <div v-if="result.package.license" class="flex items-center gap-1.5">
-        <dt class="sr-only">{{ $t('package.card.license') }}</dt>
-        <dd>{{ result.package.license }}</dd>
-      </div>
-      <div v-if="result.downloads?.weekly" class="flex items-center gap-1.5 sm:ms-auto">
-        <dt class="sr-only">{{ $t('package.card.weekly_downloads') }}</dt>
-        <dd class="flex items-center gap-1.5">
-          <span class="i-lucide:chart-line w-3.5 h-3.5" aria-hidden="true" />
-          <span class="font-mono">
-            {{ $n(result.downloads.weekly) }} {{ $t('common.per_week') }}
-          </span>
-        </dd>
-      </div>
-    </dl>
+        :provider="result.package.publisher.trustedPublisher.id"
+        :package-name="result.package.name"
+        :version="result.package.version"
+        :linked="false"
+        compact
+      />
+      <dl class="contents m-0">
+        <div v-if="result.package.version" class="flex items-center gap-1.5 min-w-0">
+          <dt class="sr-only">{{ $t('package.card.version') }}</dt>
+          <dd class="font-mono truncate max-w-32" :title="result.package.version">
+            v{{ result.package.version }}
+          </dd>
+        </div>
+        <div
+          v-if="showPublisher && result.package.publisher?.username"
+          class="flex items-center gap-1.5"
+        >
+          <dt class="sr-only">{{ $t('package.card.publisher') }}</dt>
+          <dd class="font-mono">{{ result.package.publisher.username }}</dd>
+        </div>
+        <div v-if="result.package.date" class="flex items-center gap-1.5">
+          <dt class="sr-only">{{ $t('package.card.published') }}</dt>
+          <dd>
+            <DateTime :datetime="result.package.date" year="numeric" month="short" day="numeric" />
+          </dd>
+        </div>
+        <div v-if="result.package.license" class="flex items-center gap-1.5">
+          <dt class="sr-only">{{ $t('package.card.license') }}</dt>
+          <dd>{{ result.package.license }}</dd>
+        </div>
+        <div v-if="result.downloads?.weekly" class="flex items-center gap-1.5 sm:ms-auto">
+          <dt class="sr-only">{{ $t('package.card.weekly_downloads') }}</dt>
+          <dd class="flex items-center gap-1.5">
+            <span class="i-lucide:chart-line w-3.5 h-3.5" aria-hidden="true" />
+            <span class="font-mono">
+              {{ $n(result.downloads.weekly) }} {{ $t('common.per_week') }}
+            </span>
+          </dd>
+        </div>
+      </dl>
+    </div>
 
     <ul
       role="list"
diff --git a/i18n/schema.json b/i18n/schema.json
index ee385067bd..e198bee5b8 100644
--- a/i18n/schema.json
+++ b/i18n/schema.json
@@ -1600,6 +1600,9 @@
             "license": {
               "type": "string"
             },
+            "version": {
+              "type": "string"
+            },
             "select": {
               "type": "string"
             },

From 66177bfadaeea10710d265a5a59087a120cc8c87 Mon Sep 17 00:00:00 2001
From: Adebesin Tolulope <adebesintolulope80@gmail.com>
Date: Fri, 22 May 2026 12:53:22 +0100
Subject: [PATCH 3/3] fix(ui): place publish date next to version in package
 card

---
 app/components/Package/Card.vue | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/components/Package/Card.vue b/app/components/Package/Card.vue
index b2c9b059da..668330bb72 100644
--- a/app/components/Package/Card.vue
+++ b/app/components/Package/Card.vue
@@ -93,6 +93,12 @@ const numberFormatter = useNumberFormatter()
             v{{ result.package.version }}
           </dd>
         </div>
+        <div v-if="result.package.date" class="flex items-center gap-1.5">
+          <dt class="sr-only">{{ $t('package.card.published') }}</dt>
+          <dd>
+            <DateTime :datetime="result.package.date" year="numeric" month="short" day="numeric" />
+          </dd>
+        </div>
         <div
           v-if="showPublisher && result.package.publisher?.username"
           class="flex items-center gap-1.5"
@@ -100,12 +106,6 @@ const numberFormatter = useNumberFormatter()
           <dt class="sr-only">{{ $t('package.card.publisher') }}</dt>
           <dd class="font-mono">{{ result.package.publisher.username }}</dd>
         </div>
-        <div v-if="result.package.date" class="flex items-center gap-1.5">
-          <dt class="sr-only">{{ $t('package.card.published') }}</dt>
-          <dd>
-            <DateTime :datetime="result.package.date" year="numeric" month="short" day="numeric" />
-          </dd>
-        </div>
         <div v-if="result.package.license" class="flex items-center gap-1.5">
           <dt class="sr-only">{{ $t('package.card.license') }}</dt>
           <dd>{{ result.package.license }}</dd>