From eca7b0ed05354179ba1a2236d26e6e4613f6b602 Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:46:45 -0700
Subject: [PATCH 1/8] Fix open redirect via protocol-relative URLs (#60215)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 eslint.config.ts                              | 10 +++++
 .../middleware/archived-asset-redirects.ts    |  2 +-
 .../archived-enterprise-versions.ts           | 14 +++----
 src/article-api/middleware/pagelist.ts        |  4 +-
 src/assets/middleware/asset-preprocessing.ts  |  2 +-
 src/assets/middleware/dynamic-assets.ts       |  2 +-
 src/frame/middleware/index.ts                 |  5 +++
 src/frame/middleware/manifest-json.ts         |  2 +-
 src/frame/middleware/safe-redirect.ts         | 29 +++++++++++++++
 src/frame/middleware/trailing-slashes.ts      |  2 +-
 src/redirects/middleware/handle-redirects.ts  |  8 ++--
 .../middleware/language-code-redirects.ts     |  2 +-
 src/redirects/tests/safe-redirect-url.ts      | 37 +++++++++++++++++++
 .../middleware/ghes-release-notes.ts          |  2 +-
 src/search/middleware/ai-search.ts            |  2 +-
 src/search/middleware/search-routes.ts        |  6 +--
 .../middleware/handle-invalid-paths.ts        |  2 +-
 .../handle-invalid-query-string-values.ts     |  2 +-
 .../handle-invalid-query-strings.ts           |  2 +-
 src/shielding/tests/invalid-querystrings.ts   |  9 +++++
 src/shielding/tests/shielding.ts              | 20 ++++++++++
 src/types/express.d.ts                        |  9 +++++
 22 files changed, 146 insertions(+), 27 deletions(-)
 create mode 100644 src/frame/middleware/safe-redirect.ts
 create mode 100644 src/redirects/tests/safe-redirect-url.ts
 create mode 100644 src/types/express.d.ts

diff --git a/eslint.config.ts b/eslint.config.ts
index 5ca834ddbfb5..97380c8f8ab0 100644
--- a/eslint.config.ts
+++ b/eslint.config.ts
@@ -102,6 +102,16 @@ export default [
 
       // Custom rules (disabled by default for now)
       'custom-rules/use-custom-logger': 'off',
+
+      // Prevent direct res.redirect() usage — use res.safeRedirect() instead
+      // to avoid open redirect vulnerabilities via protocol-relative URLs.
+      'no-restricted-syntax': [
+        'error',
+        {
+          selector: "CallExpression[callee.object.name='res'][callee.property.name='redirect']",
+          message: 'Use res.safeRedirect() instead of res.redirect() to prevent open redirects.',
+        },
+      ],
     },
   },
 
diff --git a/src/archives/middleware/archived-asset-redirects.ts b/src/archives/middleware/archived-asset-redirects.ts
index 9ee3a72946f0..5dac6e511bd3 100644
--- a/src/archives/middleware/archived-asset-redirects.ts
+++ b/src/archives/middleware/archived-asset-redirects.ts
@@ -29,7 +29,7 @@ export default function archivedAssetRedirects(
 ) {
   if (req.path in REDIRECTS) {
     const redirect = REDIRECTS[req.path].replace('/assets/', '/assets/cb-0000/')
-    return res.redirect(308, redirect)
+    return res.safeRedirect(308, redirect)
   }
 
   return next()
diff --git a/src/archives/middleware/archived-enterprise-versions.ts b/src/archives/middleware/archived-enterprise-versions.ts
index 4ea074cc89fd..6f4c001e4e9f 100644
--- a/src/archives/middleware/archived-enterprise-versions.ts
+++ b/src/archives/middleware/archived-enterprise-versions.ts
@@ -117,7 +117,7 @@ export default async function archivedEnterpriseVersions(
         languageCacheControl(res) // call first to get `vary`
       }
       archivedCacheControl(res) // call second to extend duration
-      return res.redirect(redirectCode, redirectTo)
+      return res.safeRedirect(redirectCode, redirectTo)
     }
 
     const redirectJson = (await getRemoteJSON(getProxyPath('redirects.json', requestedVersion), {
@@ -137,7 +137,7 @@ export default async function archivedEnterpriseVersions(
         languageCacheControl(res) // call first to get `vary`
       }
       archivedCacheControl(res) // call second to extend duration
-      return res.redirect(redirectCode, `/${language}${newRedirectTo}`)
+      return res.safeRedirect(redirectCode, `/${language}${newRedirectTo}`)
     }
   }
   // For releases 2.13 and lower, redirect language-prefixed URLs like /en/enterprise/2.10 -> /enterprise/2.10
@@ -146,7 +146,7 @@ export default async function archivedEnterpriseVersions(
     versionSatisfiesRange(requestedVersion, `<${firstVersionDeprecatedOnNewSite}`)
   ) {
     archivedCacheControl(res)
-    return res.redirect(redirectCode, req.baseUrl + req.path.replace(/^\/en/, ''))
+    return res.safeRedirect(redirectCode, req.baseUrl + req.path.replace(/^\/en/, ''))
   }
 
   // Redirects for releases 2.13 - 2.17
@@ -170,7 +170,7 @@ export default async function archivedEnterpriseVersions(
       // new destination.
       const redirect = `/${language || 'en'}${newPath || withoutLanguagePath}`
       cacheAggressively(res)
-      return res.redirect(redirectCode, redirect)
+      return res.safeRedirect(redirectCode, redirect)
     }
   }
   // Redirects for 2.18 - 3.0. Starting with 2.18, we updated the archival
@@ -193,7 +193,7 @@ export default async function archivedEnterpriseVersions(
     if (redirectJson[req.path]) {
       res.set('x-robots-tag', 'noindex')
       cacheAggressively(res)
-      return res.redirect(redirectCode, redirectJson[req.path])
+      return res.safeRedirect(redirectCode, redirectJson[req.path])
     }
   }
   // Retrieve the page from the archived repo
@@ -260,7 +260,7 @@ export default async function archivedEnterpriseVersions(
     const staticRedirect = body.match(patterns.staticRedirect)
     if (staticRedirect) {
       cacheAggressively(res)
-      return res.redirect(redirectCode, staticRedirect[1])
+      return res.safeRedirect(redirectCode, staticRedirect[1])
     }
 
     res.set('content-type', r.headers.get('content-type') || '')
@@ -373,7 +373,7 @@ export default async function archivedEnterpriseVersions(
       statsTags.push(`fallback:${fallbackRedirect}`)
       statsd.increment('middleware.trying_fallback_redirect_success', 1, statsTags)
       cacheAggressively(res)
-      return res.redirect(redirectCode, fallbackRedirect)
+      return res.safeRedirect(redirectCode, fallbackRedirect)
     }
     statsd.increment('middleware.trying_fallback_redirect_failure', 1, statsTags)
   }
diff --git a/src/article-api/middleware/pagelist.ts b/src/article-api/middleware/pagelist.ts
index 095f4b9bab59..295a18c49acf 100644
--- a/src/article-api/middleware/pagelist.ts
+++ b/src/article-api/middleware/pagelist.ts
@@ -92,7 +92,7 @@ router.get(
   '/',
   pagelistValidationMiddleware as RequestHandler,
   catchMiddlewareError(async function (req: ExtendedRequest, res: Response) {
-    res.redirect(
+    res.safeRedirect(
       308,
       req.originalUrl.replace(
         '/pagelist',
@@ -108,7 +108,7 @@ router.get(
   pagelistValidationMiddleware as RequestHandler,
   catchMiddlewareError(async function (req: ExtendedRequest, res: Response) {
     const { someParam } = req.params
-    res.redirect(
+    res.safeRedirect(
       308,
       req.originalUrl.replace(
         `/pagelist/${someParam}`,
diff --git a/src/assets/middleware/asset-preprocessing.ts b/src/assets/middleware/asset-preprocessing.ts
index 1a5a1cd6d8c0..a61be8044422 100644
--- a/src/assets/middleware/asset-preprocessing.ts
+++ b/src/assets/middleware/asset-preprocessing.ts
@@ -30,7 +30,7 @@ export default function assetPreprocessing(
       // By forcing this to be a redirect, it means we only serve
       // 1 single file. All other requests will be redirects.
       // Otherwise someone might trigger too much bypassing of the CDN.
-      return res.redirect(req.url.toLowerCase())
+      return res.safeRedirect(req.url.toLowerCase())
     }
 
     // We're only confident enough to set the *manual* surrogate key if the
diff --git a/src/assets/middleware/dynamic-assets.ts b/src/assets/middleware/dynamic-assets.ts
index 9053151a3181..b59d558097e1 100644
--- a/src/assets/middleware/dynamic-assets.ts
+++ b/src/assets/middleware/dynamic-assets.ts
@@ -76,7 +76,7 @@ export default async function dynamicAssets(
     //    < 302
     //    < location: /assets/images/site/logo.web
     //
-    return res.redirect(302, req.path)
+    return res.safeRedirect(302, req.path)
   }
 
   // From PNG to WEBP, if the PNG exists
diff --git a/src/frame/middleware/index.ts b/src/frame/middleware/index.ts
index c2ef6d86b824..871605038ba0 100644
--- a/src/frame/middleware/index.ts
+++ b/src/frame/middleware/index.ts
@@ -66,6 +66,7 @@ import mockVaPortal from './mock-va-portal'
 import dynamicAssets from '@/assets/middleware/dynamic-assets'
 import generalSearchMiddleware from '@/search/middleware/general-search-middleware'
 import shielding from '@/shielding/middleware'
+import safeRedirect from './safe-redirect'
 import { MAX_REQUEST_TIMEOUT } from '@/frame/lib/constants'
 import { initLoggerContext } from '@/observability/logger/lib/logger-context'
 import { getAutomaticRequestLogger } from '@/observability/logger/middleware/get-automatic-request-logger'
@@ -125,6 +126,10 @@ export default function index(app: Express) {
   // for static assets as well.
   app.use(setDefaultFastlySurrogateKey)
 
+  // Attaches res.safeRedirect() to every response. Must appear before
+  // any middleware that redirects.
+  app.use(safeRedirect)
+
   // archivedEnterpriseVersionsAssets must come before static/assets
   app.use(asyncMiddleware(archivedEnterpriseVersionsAssets))
 
diff --git a/src/frame/middleware/manifest-json.ts b/src/frame/middleware/manifest-json.ts
index df951553b5d1..87b666fd2066 100644
--- a/src/frame/middleware/manifest-json.ts
+++ b/src/frame/middleware/manifest-json.ts
@@ -32,7 +32,7 @@ export default async function manifestJson(req: Request, res: Response, next: Ne
   if (req.url !== '/manifest.json') {
     // E.g. `/manifest.json/anything` or `/manifest.json?foo=bar`
     defaultCacheControl(res)
-    return res.redirect(302, '/manifest.json')
+    return res.safeRedirect(302, '/manifest.json')
   }
 
   const icons: Icon[] = []
diff --git a/src/frame/middleware/safe-redirect.ts b/src/frame/middleware/safe-redirect.ts
new file mode 100644
index 000000000000..0c875bfe9ed7
--- /dev/null
+++ b/src/frame/middleware/safe-redirect.ts
@@ -0,0 +1,29 @@
+import type { Response, NextFunction } from 'express'
+
+import type { ExtendedRequest } from '@/types'
+
+// Normalizes a redirect URL to prevent open redirects via protocol-relative
+// URLs (e.g. "//evil.com" which browsers interpret as "https://evil.com").
+export function safeRedirectUrl(url: string): string {
+  return url.replace(/^\/\/+/, '/')
+}
+
+// Matches the overloaded signature of Express's res.redirect().
+export type SafeRedirect = {
+  (url: string): void
+  (status: number, url: string): void
+}
+
+// Attaches res.safeRedirect() to the response for all downstream middleware.
+// Same signature as res.redirect() but normalizes the URL first.
+export default function safeRedirect(req: ExtendedRequest, res: Response, next: NextFunction) {
+  res.safeRedirect = function (statusOrUrl: number | string, url?: string) {
+    if (typeof statusOrUrl === 'number' && url !== undefined) {
+      // eslint-disable-next-line no-restricted-syntax
+      return res.redirect(statusOrUrl, safeRedirectUrl(url))
+    }
+    // eslint-disable-next-line no-restricted-syntax
+    return res.redirect(safeRedirectUrl(statusOrUrl as string))
+  }
+  return next()
+}
diff --git a/src/frame/middleware/trailing-slashes.ts b/src/frame/middleware/trailing-slashes.ts
index 572cb5678692..53e34ac1856d 100644
--- a/src/frame/middleware/trailing-slashes.ts
+++ b/src/frame/middleware/trailing-slashes.ts
@@ -17,7 +17,7 @@ export default function trailingSlashes(req: ExtendedRequest, res: Response, nex
       }
       url = url.replace(/\/+/g, '/') // Prevent multiple slashes
       defaultCacheControl(res)
-      return res.redirect(301, url)
+      return res.safeRedirect(301, url)
     }
   }
 
diff --git a/src/redirects/middleware/handle-redirects.ts b/src/redirects/middleware/handle-redirects.ts
index 606744a7c8b9..c7850e3c1215 100644
--- a/src/redirects/middleware/handle-redirects.ts
+++ b/src/redirects/middleware/handle-redirects.ts
@@ -18,7 +18,7 @@ export default function handleRedirects(req: ExtendedRequest, res: Response, nex
   // This must be done before checking if the path
   // is an asset (patterns.assetPaths)
   if (req.path.includes('//')) {
-    return res.redirect(301, req.path.replace(/\/+/g, '/'))
+    return res.safeRedirect(301, req.path.replace(/\/+/g, '/'))
   }
 
   // never redirect assets
@@ -45,7 +45,7 @@ export default function handleRedirects(req: ExtendedRequest, res: Response, nex
     if (queryParams) {
       queryParams = `?${queryParams}`
     }
-    return res.redirect(302, redirectPath + queryParams)
+    return res.safeRedirect(302, redirectPath + queryParams)
   }
 
   // begin redirect handling
@@ -80,7 +80,7 @@ export default function handleRedirects(req: ExtendedRequest, res: Response, nex
     }
 
     redirectTo += `/search?${sp.toString()}`
-    return res.redirect(301, redirectTo)
+    return res.safeRedirect(301, redirectTo)
   }
 
   // have to do this now because searchPath replacement changes the path as well as the query params
@@ -146,7 +146,7 @@ export default function handleRedirects(req: ExtendedRequest, res: Response, nex
   }
 
   const permanent = redirect.includes('://') || usePermanentRedirect(req)
-  return res.redirect(permanent ? 301 : 302, redirect)
+  return res.safeRedirect(permanent ? 301 : 302, redirect)
 }
 
 function getLanguage(req: ExtendedRequest, default_ = 'en') {
diff --git a/src/redirects/middleware/language-code-redirects.ts b/src/redirects/middleware/language-code-redirects.ts
index fc45fca9eac9..d4561c734497 100644
--- a/src/redirects/middleware/language-code-redirects.ts
+++ b/src/redirects/middleware/language-code-redirects.ts
@@ -44,7 +44,7 @@ export default function languageCodeRedirects(
     const [code, pattern] = matched
     if (code && pattern) {
       defaultCacheControl(res)
-      return res.redirect(301, req.path.replace(pattern, `/${code}`))
+      return res.safeRedirect(301, req.path.replace(pattern, `/${code}`))
     }
   }
   return next()
diff --git a/src/redirects/tests/safe-redirect-url.ts b/src/redirects/tests/safe-redirect-url.ts
new file mode 100644
index 000000000000..962dc6c47a73
--- /dev/null
+++ b/src/redirects/tests/safe-redirect-url.ts
@@ -0,0 +1,37 @@
+import { describe, expect, test } from 'vitest'
+
+import { safeRedirectUrl } from '@/frame/middleware/safe-redirect'
+
+describe('safeRedirectUrl', () => {
+  test('collapses leading double slashes to single slash', () => {
+    expect(safeRedirectUrl('//evil.com')).toBe('/evil.com')
+  })
+
+  test('collapses leading triple slashes to single slash', () => {
+    expect(safeRedirectUrl('///evil.com')).toBe('/evil.com')
+  })
+
+  test('collapses many leading slashes to single slash', () => {
+    expect(safeRedirectUrl('////evil.com/path')).toBe('/evil.com/path')
+  })
+
+  test('preserves single leading slash', () => {
+    expect(safeRedirectUrl('/en/get-started')).toBe('/en/get-started')
+  })
+
+  test('preserves query strings', () => {
+    expect(safeRedirectUrl('//evil.com?a=1&b=2')).toBe('/evil.com?a=1&b=2')
+  })
+
+  test('does not modify double slashes in the middle of a path', () => {
+    expect(safeRedirectUrl('/en//get-started')).toBe('/en//get-started')
+  })
+
+  test('handles root path', () => {
+    expect(safeRedirectUrl('/')).toBe('/')
+  })
+
+  test('handles empty string', () => {
+    expect(safeRedirectUrl('')).toBe('')
+  })
+})
diff --git a/src/release-notes/middleware/ghes-release-notes.ts b/src/release-notes/middleware/ghes-release-notes.ts
index c2cd946d80f5..f2b563d878b8 100644
--- a/src/release-notes/middleware/ghes-release-notes.ts
+++ b/src/release-notes/middleware/ghes-release-notes.ts
@@ -34,7 +34,7 @@ export default async function ghesReleaseNotesContext(
   // Otherwise, 404.
   if (!Object.keys(ghesReleaseNotes).includes(requestedRelease.replace(/\./, '-'))) {
     return all.includes(requestedRelease)
-      ? res.redirect(`https://enterprise.github.com/releases/${requestedRelease}.0/notes`)
+      ? res.safeRedirect(`https://enterprise.github.com/releases/${requestedRelease}.0/notes`)
       : next()
   }
 
diff --git a/src/search/middleware/ai-search.ts b/src/search/middleware/ai-search.ts
index 71b32e29c4f2..0ff0aff98edd 100644
--- a/src/search/middleware/ai-search.ts
+++ b/src/search/middleware/ai-search.ts
@@ -16,7 +16,7 @@ router.post(
 
 // Redirect to most recent version
 router.post('/', (req, res) => {
-  res.redirect(307, req.originalUrl.replace('/ai-search', '/ai-search/v1'))
+  res.safeRedirect(307, req.originalUrl.replace('/ai-search', '/ai-search/v1'))
 })
 
 export default router
diff --git a/src/search/middleware/search-routes.ts b/src/search/middleware/search-routes.ts
index 8deb2040f641..fdb85d187ddd 100644
--- a/src/search/middleware/search-routes.ts
+++ b/src/search/middleware/search-routes.ts
@@ -53,18 +53,18 @@ export async function handleGetSearchResultsError(
 
 // Redirects search routes to their latest versions
 router.get('/', (req: Request, res: Response) => {
-  res.redirect(307, req.originalUrl.replace('/search', '/search/v1'))
+  res.safeRedirect(307, req.originalUrl.replace('/search', '/search/v1'))
 })
 
 router.get('/ai-search-autocomplete', (req: Request, res: Response) => {
-  res.redirect(
+  res.safeRedirect(
     307,
     req.originalUrl.replace('/search/ai-search-autocomplete', '/search/ai-search-autocomplete/v1'),
   )
 })
 
 router.get('/combined-search', (req: Request, res: Response) => {
-  res.redirect(
+  res.safeRedirect(
     307,
     req.originalUrl.replace('/search/combined-search', '/search/combined-search/v1'),
   )
diff --git a/src/shielding/middleware/handle-invalid-paths.ts b/src/shielding/middleware/handle-invalid-paths.ts
index b13e99d3ca2d..0970bd3281cd 100644
--- a/src/shielding/middleware/handle-invalid-paths.ts
+++ b/src/shielding/middleware/handle-invalid-paths.ts
@@ -86,7 +86,7 @@ export default function handleInvalidPaths(
   if (req.path.endsWith('/index.md')) {
     defaultCacheControl(res)
     const newUrl = req.originalUrl.replace(req.path, req.path.replace(/\/index\.md$/, ''))
-    return res.redirect(newUrl)
+    return res.safeRedirect(newUrl)
   } else if (req.path.endsWith('.md')) {
     req.url = req.url.replace(/\.md($|\?)/, '$1')
     req.originalUrl = req.originalUrl.replace(/\.md($|\?)/, '$1')
diff --git a/src/shielding/middleware/handle-invalid-query-string-values.ts b/src/shielding/middleware/handle-invalid-query-string-values.ts
index 39409d63be86..3ff3cdbb42ed 100644
--- a/src/shielding/middleware/handle-invalid-query-string-values.ts
+++ b/src/shielding/middleware/handle-invalid-query-string-values.ts
@@ -60,7 +60,7 @@ export default function handleInvalidQuerystringValues(
           defaultCacheControl(res)
           let newURL = req.path
           if (sp.toString()) newURL += `?${sp}`
-          res.redirect(302, newURL)
+          res.safeRedirect(302, newURL)
 
           const tags = ['response:302', `url:${req.url}`, `path:${req.path}`, `key:${key}`]
           statsd.increment(STATSD_KEY, 1, tags)
diff --git a/src/shielding/middleware/handle-invalid-query-strings.ts b/src/shielding/middleware/handle-invalid-query-strings.ts
index d53e911a5468..0bb7ec2942e4 100644
--- a/src/shielding/middleware/handle-invalid-query-strings.ts
+++ b/src/shielding/middleware/handle-invalid-query-strings.ts
@@ -148,7 +148,7 @@ export default function handleInvalidQuerystrings(
       let newURL = req.path
       if (sp.toString()) newURL += `?${sp}`
 
-      res.redirect(302, newURL)
+      res.safeRedirect(302, newURL)
 
       const tags = [
         'response:302',
diff --git a/src/shielding/tests/invalid-querystrings.ts b/src/shielding/tests/invalid-querystrings.ts
index 2e4ef943c523..1619ae7f25a1 100644
--- a/src/shielding/tests/invalid-querystrings.ts
+++ b/src/shielding/tests/invalid-querystrings.ts
@@ -101,6 +101,15 @@ describe('invalid query strings', () => {
     expect(res.body).not.toContain('<script>')
     expect(res.body).not.toContain('alert')
   })
+
+  test('redirect from unrecognized query strings does not produce open redirect', async () => {
+    // This is the exact PoC from the bug bounty report.
+    // With enough unrecognized query keys, the middleware redirects
+    // using req.path. res.safeRedirect normalizes // to / so the
+    // Location header can never be a protocol-relative URL.
+    const res = await get('//evil.com?a=1&b=2&c=3')
+    expect(res.headers.location).not.toMatch(/^\/\//)
+  })
 })
 
 function randomCharacters(length: number) {
diff --git a/src/shielding/tests/shielding.ts b/src/shielding/tests/shielding.ts
index 1953845d558c..381cbd8bd918 100644
--- a/src/shielding/tests/shielding.ts
+++ b/src/shielding/tests/shielding.ts
@@ -21,6 +21,26 @@ describe('junk paths', () => {
     expect(res.headers['cache-control']).toMatch('public')
   })
 
+  test('double-slash protocol-relative paths are safely redirected', async () => {
+    const res = await get('//evil.com')
+    expect(res.statusCode).toBe(301)
+    // Must normalize to a safe local path, not redirect externally
+    expect(res.headers.location).toBe('/evil.com')
+  })
+
+  test('double-slash with query params does not open redirect', async () => {
+    const res = await get('//evil.com?a=1&b=2&c=3')
+    // With 3 unrecognized query keys, the query string middleware redirects
+    // using res.safeRedirect which normalizes // to /
+    expect(res.headers.location).not.toMatch(/^\/\//)
+  })
+
+  test('triple-slash paths are still blocked', async () => {
+    const res = await get('///evil.com')
+    expect(res.statusCode).toBe(404)
+    expect(res.headers['content-type']).toMatch('text/plain')
+  })
+
   test('junk base name', async () => {
     const res = await get('/en/get-started/.env.local')
     expect(res.statusCode).toBe(404)
diff --git a/src/types/express.d.ts b/src/types/express.d.ts
new file mode 100644
index 000000000000..7205db6ddbc0
--- /dev/null
+++ b/src/types/express.d.ts
@@ -0,0 +1,9 @@
+import type { SafeRedirect } from '@/frame/middleware/safe-redirect'
+
+declare global {
+  namespace Express {
+    interface Response {
+      safeRedirect: SafeRedirect
+    }
+  }
+}

From 97100fb167e2bd4163591f8833e39918644dd639 Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:49:29 -0700
Subject: [PATCH 2/8] Emit heap/RSS gauges on every healthcheck hit (#60227)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/frame/middleware/healthcheck.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/frame/middleware/healthcheck.ts b/src/frame/middleware/healthcheck.ts
index a230878b6381..e2c8d228e4ac 100644
--- a/src/frame/middleware/healthcheck.ts
+++ b/src/frame/middleware/healthcheck.ts
@@ -1,5 +1,6 @@
 import express from 'express'
 import { noCacheControl } from './cache-control'
+import statsd from '@/observability/lib/statsd'
 
 const router = express.Router()
 
@@ -12,6 +13,12 @@ const router = express.Router()
 router.get('/', function healthcheck(req, res) {
   noCacheControl(res)
 
+  const mem = process.memoryUsage()
+  statsd.gauge('memory_heap_used', mem.heapUsed, ['event:healthcheck'])
+  statsd.gauge('memory_heap_total', mem.heapTotal, ['event:healthcheck'])
+  statsd.gauge('memory_rss', mem.rss, ['event:healthcheck'])
+  statsd.gauge('memory_external', mem.external, ['event:healthcheck'])
+
   res.sendStatus(200)
 })
 

From 9d6e62124de8e17a5c9ccf58f4f2ca0437b21e2a Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:50:02 -0700
Subject: [PATCH 3/8] Disable Next.js in-memory cache (#60229)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 next.config.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/next.config.ts b/next.config.ts
index 9cb550450c21..8c070472000f 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -83,6 +83,13 @@ const config: NextConfig = {
   // the CDN marks the cached content as "fresh".
   generateEtags: false,
 
+  // Disable Next.js's in-memory data cache. We don't use ISR or cached
+  // fetch — all pages render via Express middleware with getServerSideProps.
+  // The default 50 MB cache is unnecessary overhead during a memory-leak
+  // investigation and is implicated in known Next.js 16.1.x memory issues
+  // (vercel/next.js#88603).
+  cacheMaxMemorySize: 0,
+
   compiler: {
     styledComponents: true,
   },

From bf69e093f43d2751ddbe9a2f789ab5f3d2a98817 Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:51:00 -0700
Subject: [PATCH 4/8] Document heap vs memory request relationship in config
 comments (#60248)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 config/kubernetes/default/deployments/webapp.yaml    | 3 +++
 config/kubernetes/production/deployments/webapp.yaml | 3 +++
 config/moda/configuration/default/env.yaml           | 6 ++++++
 config/moda/configuration/production/env.yaml        | 6 ++++++
 4 files changed, 18 insertions(+)

diff --git a/config/kubernetes/default/deployments/webapp.yaml b/config/kubernetes/default/deployments/webapp.yaml
index d64f7278da93..f71de2831a19 100644
--- a/config/kubernetes/default/deployments/webapp.yaml
+++ b/config/kubernetes/default/deployments/webapp.yaml
@@ -25,6 +25,9 @@ spec:
             requests:
               cpu: 1000m
               memory: 4500Mi
+              # Keep ~600 MB headroom above --max-old-space-size in
+              # config/moda/configuration/default/env.yaml for Node
+              # off-heap memory and OS overhead.
             limits:
               cpu: 8000m
               memory: 16Gi
diff --git a/config/kubernetes/production/deployments/webapp.yaml b/config/kubernetes/production/deployments/webapp.yaml
index 839a6f322efe..387e4524b4cd 100644
--- a/config/kubernetes/production/deployments/webapp.yaml
+++ b/config/kubernetes/production/deployments/webapp.yaml
@@ -34,6 +34,9 @@ spec:
               # Absolute minimum to start app is 4500Mi
               # Would increase with more pages, versions, or languages supported
               # The additional memory helps during traffic surges
+              # Keep ~600 MB headroom above --max-old-space-size in
+              # config/moda/configuration/production/env.yaml for Node
+              # off-heap memory and OS overhead.
             limits:
               cpu: 16000m
               memory: 16Gi
diff --git a/config/moda/configuration/default/env.yaml b/config/moda/configuration/default/env.yaml
index 096f675f6135..10360f1b261c 100644
--- a/config/moda/configuration/default/env.yaml
+++ b/config/moda/configuration/default/env.yaml
@@ -1,6 +1,12 @@
 data:
   MODA_APP_NAME: docs-internal
   NODE_ENV: production
+  # V8 heap limit (--max-old-space-size) should leave at least ~600 MiB
+  # below the K8s memory request for Node off-heap memory (Buffers,
+  # V8 code cache, libuv) and OS overhead. If you change the memory
+  # request in config/kubernetes/default/deployments/webapp.yaml,
+  # update this value to match.
+  # Current: 4500 MiB request, 4096 MiB heap = 404 MiB headroom
   NODE_OPTIONS: '--max-old-space-size=4096'
   PORT: '4000'
   ENABLED_LANGUAGES: 'en,es,ja,pt,zh,ru,fr,ko,de'
diff --git a/config/moda/configuration/production/env.yaml b/config/moda/configuration/production/env.yaml
index 604d4c0fbce0..feae34ade6c6 100644
--- a/config/moda/configuration/production/env.yaml
+++ b/config/moda/configuration/production/env.yaml
@@ -1,6 +1,12 @@
 data:
   MODA_APP_NAME: docs-internal
   NODE_ENV: production
+  # V8 heap limit (--max-old-space-size) should leave at least ~600 MiB
+  # below the K8s memory request for Node off-heap memory (Buffers,
+  # V8 code cache, libuv) and OS overhead. If you change the memory
+  # request in config/kubernetes/production/deployments/webapp.yaml,
+  # update this value to match.
+  # Current: 8.0 Gi (8192 MiB) request, 7168 MiB heap = 1024 MiB headroom
   NODE_OPTIONS: '--max-old-space-size=7168'
   PORT: '4000'
   ENABLED_LANGUAGES: 'en,es,ja,pt,zh,ru,fr,ko,de'

From 732cc45938095503288140eab806cf86ac8e1570 Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:51:26 -0700
Subject: [PATCH 5/8] Set fetch-depth: 2 on workflows using
 tj-actions/changed-files (#60219)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/content-lint-markdown.yml | 3 +++
 .github/workflows/link-check-on-pr.yml      | 3 +++
 .github/workflows/readability.yml           | 5 +++--
 .github/workflows/reviewers-legal.yml       | 3 +++
 .github/workflows/test-changed-content.yml  | 3 +++
 .github/workflows/test.yml                  | 3 +++
 6 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/content-lint-markdown.yml b/.github/workflows/content-lint-markdown.yml
index 763153696e17..80f35ec503a7 100644
--- a/.github/workflows/content-lint-markdown.yml
+++ b/.github/workflows/content-lint-markdown.yml
@@ -24,6 +24,9 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - name: Set up Node and dependencies
         uses: ./.github/actions/node-npm-setup
diff --git a/.github/workflows/link-check-on-pr.yml b/.github/workflows/link-check-on-pr.yml
index e8d45c2c6594..a52eca933d46 100644
--- a/.github/workflows/link-check-on-pr.yml
+++ b/.github/workflows/link-check-on-pr.yml
@@ -30,6 +30,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - uses: ./.github/actions/node-npm-setup
 
diff --git a/.github/workflows/readability.yml b/.github/workflows/readability.yml
index 8dd17a44fd85..119467017215 100644
--- a/.github/workflows/readability.yml
+++ b/.github/workflows/readability.yml
@@ -27,10 +27,11 @@ jobs:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
     steps:
-      - name: Check out repo with full history
+      - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          fetch-depth: 0
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - name: Checkout PR for manual dispatch
         if: ${{ github.event_name == 'workflow_dispatch' }}
diff --git a/.github/workflows/reviewers-legal.yml b/.github/workflows/reviewers-legal.yml
index ff9c0f977e02..c88c1bafee67 100644
--- a/.github/workflows/reviewers-legal.yml
+++ b/.github/workflows/reviewers-legal.yml
@@ -33,6 +33,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6.0.1
+        with:
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - name: Get changed files
         id: changed_files
diff --git a/.github/workflows/test-changed-content.yml b/.github/workflows/test-changed-content.yml
index 85fc0bc6d733..a4788a89416e 100644
--- a/.github/workflows/test-changed-content.yml
+++ b/.github/workflows/test-changed-content.yml
@@ -28,6 +28,9 @@ jobs:
       # Even if if doesn't do anything
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - uses: ./.github/actions/node-npm-setup
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 031c8d7b0135..645d00c4bae1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -88,6 +88,9 @@ jobs:
       # Even if if doesn't do anything
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          # Fetch 2 commits so tj-actions/changed-files can diff without extra API calls
+          fetch-depth: 2
 
       - uses: ./.github/actions/setup-elasticsearch
         if: ${{ matrix.name == 'search' || matrix.name == 'languages' }}

From e99561e97315762ddf7ea05af46661ef0f0582ca Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 10:51:46 -0700
Subject: [PATCH 6/8] Fix 241 translation corruption patterns across all
 languages (#60217)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../lib/correct-translation-content.ts        | 289 +++++++++++++++++-
 .../tests/correct-translation-content.ts      | 155 ++++++++++
 2 files changed, 436 insertions(+), 8 deletions(-)
 create mode 100644 src/languages/tests/correct-translation-content.ts

diff --git a/src/languages/lib/correct-translation-content.ts b/src/languages/lib/correct-translation-content.ts
index 3cff597756e1..2d813135a280 100644
--- a/src/languages/lib/correct-translation-content.ts
+++ b/src/languages/lib/correct-translation-content.ts
@@ -23,14 +23,44 @@ export function correctTranslatedContentStrings(
   // --- Per-language fixes (es, ja, pt, zh, ru, fr, ko, de) ---
 
   if (context.code === 'es') {
+    // Remove colon prefix on Liquid tags: `{%:` → `{%`
+    content = content.replace(/\{%:/g, '{%')
+
     content = content.replaceAll('{% vulnerables variables.', '{% data variables.')
     content = content.replaceAll('{% datos variables', '{% data variables')
     content = content.replaceAll('{% de datos variables', '{% data variables')
     content = content.replaceAll('{% datos reusables', '{% data reusables')
     content = content.replaceAll('{% data reutilizables.', '{% data reusables.')
-    // Catch "o" between any plan names in ifversion/elsif tags
-    content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?\bo\b[^%]*?%\}/g, (match) => {
-      return match.replace(/ o /g, ' or ')
+    // Translated Liquid keywords
+    content = content.replaceAll('{% comentario %}', '{% comment %}')
+    content = content.replaceAll('{% si ', '{% if ')
+    content = content.replaceAll('{% sin procesar %}', '{% raw %}')
+    content = content.replaceAll('{% %} sin procesar', '{% raw %}')
+    // "sin formato" is another translation of "raw"
+    content = content.replace(/\{%\s*%?sin formato\s*\}/g, '{% raw %}')
+    content = content.replaceAll(
+      '{% para glosario en glosarios %}',
+      '{% for glossary in glossaries %}',
+    )
+    content = content.replaceAll('{{ glosario.term }}', '{{ glossary.term }}')
+    content = content.replaceAll('{{ glosario.description }}', '{{ glossary.description }}')
+    // Catch "o" and "y/o" between any plan names in ifversion/elsif tags
+    content = content.replace(
+      /\{%-? (?:ifversion|elsif) [^%]*?(?:\by\/o\b|\bo\b)[^%]*?%\}/g,
+      (match) => {
+        return match.replace(/ y\/o /g, ' or ').replace(/ o /g, ' or ')
+      },
+    )
+    // Spanish "no" for "not" in ifversion tags
+    content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?\bno\b[^%]*?%\}/g, (match) => {
+      return match.replace(/ no /g, ' not ')
+    })
+    // Translated for-loop keywords
+    content = content.replace(/\{%-? para (?:la )?entrada en /g, (match) => {
+      return match.replace(/para (?:la )?entrada en/, 'for entry in')
+    })
+    content = content.replace(/\{%-? cuando /g, (match) => {
+      return match.replace('cuando', 'when')
     })
   }
 
@@ -43,6 +73,8 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% データ再利用可能.', '{% data reusables.')
     content = content.replaceAll('{% データ再利用.', '{% data reusables.')
     content = content.replaceAll('{% メモ %}', '{% note %}')
+    // Double-brace corruption of `{% data`: `{% {{データ}} variables.` → `{% data variables.`
+    content = content.replaceAll('{{データ}} variables.', 'data variables.')
     // Catch "または" between any plan names in ifversion/elsif tags
     content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?または[^%]*?%\}/g, (match) => {
       return match.replace(/ または /g, ' or ')
@@ -56,6 +88,96 @@ export function correctTranslatedContentStrings(
     // space (\u200A) between `]` and `(` so the parser treats them as
     // separate tokens.
     content = content.replace(/\[(\[.*?\])(\(\S+\)\]\()/g, '[$1\u200A$2')
+
+    // Translated Liquid keywords in case/when/comment/endcomment statements
+    content = content.replaceAll('{%- それ以外の場合 %}', '{%- else %}')
+    content = content.replaceAll('{% それ以外の場合 %}', '{% else %}')
+    content = content.replaceAll('{%- エンドケース -%}', '{%- endcase -%}')
+    content = content.replaceAll('{% エンドケース %}', '{% endcase %}')
+    content = content.replaceAll('{%- コメント %}', '{%- comment %}')
+    content = content.replaceAll('{% コメント %}', '{% comment %}')
+    content = content.replaceAll('{%- 終了コメント %}', '{%- endcomment %}')
+    content = content.replaceAll('{% 終了コメント %}', '{% endcomment %}')
+    content = content.replaceAll('{% エンドビジュアルスタジオ %}', '{% endvisualstudio %}')
+    content = content.replaceAll('{% エクリプス %}', '{% eclipse %}')
+    // `{%- "supported" %}` → `{%- when "supported" %}` (missing `when`)
+    // Preserves original trim syntax (`{%-` vs `{%`)
+    content = content.replace(/\{%-?\s*"(supported|not_supported|preview)"\s*%\}/g, (match) => {
+      return match.replace(/(%-?)\s*"/, '$1 when "')
+    })
+    content = content.replace(
+      /\{%-?\s*"(サポートされている|サポートされていません|プレビュー)"\s*%\}/g,
+      (match) => {
+        return match
+          .replace('サポートされている', 'supported')
+          .replace('サポートされていません', 'not_supported')
+          .replace('プレビュー', 'preview')
+          .replace(/(%-?)\s*"/, '$1 when "')
+      },
+    )
+
+    // Empty trim tag `{%- %}C` → `{%- when "closing-down" %}C` (translation stripped `when "closing-down"`)
+    content = content.replaceAll('{%- %}C', '{%- when "closing-down" %}C')
+
+    // Deeply translated Liquid for-loops in table-generation templates.
+    // `{%- COLLECTION の VARNAME -%}` → `{%- for VARNAME in COLLECTION -%}`
+    // Covers `tables.X`, `groupVersions`, `ideEntry.features`, etc.
+    content = content.replace(
+      /\{%-?\s*([\w.]+(?:\[[\w"']+\])?)\s+の\s+(\w+)\s*-?%\}/g,
+      (match, collectionPath, varName) => {
+        const dash = match.startsWith('{%-') ? '{%-' : '{%'
+        const closeDash = match.endsWith('-%}') ? '-%}' : '%}'
+        return `${dash} for ${varName} in ${collectionPath} ${closeDash}`
+      },
+    )
+    // `{%- COLLECTION %} の VARNAME の場合` → `{%- for VARNAME in COLLECTION %}`
+    // Variant where の and variable name appear OUTSIDE the tag close
+    content = content.replace(
+      /\{%-?\s*([\w.]+(?:\[[\w"']+\])?)\s*-?%\}\s+の(\w+)の場合/g,
+      (match, collectionPath, varName) => {
+        const dash = match.startsWith('{%-') ? '{%-' : '{%'
+        return `${dash} for ${varName} in ${collectionPath} %}`
+      },
+    )
+    // `{{ バージョン }}` → `{{ version }}`
+    content = content.replaceAll('{{ バージョン }}', '{{ version }}')
+    content = content.replaceAll('{{ 言語 }}', '{{ language }}')
+    // `{%- 言語を割り当てる = X %}` → `{%- assign language = X %}`
+    content = content.replace(/\{%-?\s*言語を割り当てる\s*=\s*/g, (match) =>
+      match.startsWith('{%-') ? '{%- assign language = ' : '{% assign language = ',
+    )
+    // `{%- featureData = X %} を割り当てる` → `{%- assign featureData = X %}`
+    // and similar `= X %} を割り当てる` patterns
+    content = content.replace(
+      /\{%-?\s*(\w+)\s*=\s*([^%]+?)%\}\s*を割り当てる/g,
+      (match, varName, value) => {
+        const dash = match.startsWith('{%-') ? '{%-' : '{%'
+        return `${dash} assign ${varName} = ${value.trim()} %}`
+      },
+    )
+    // `{%- ... -%} の割り当て` (stray "assignment of" after a tag) → strip it
+    content = content.replaceAll(' の割り当て', '')
+    // `{%- ... -%} の場合` ("in the case of" = if) → strip, the `if` is already in the tag
+    content = content.replaceAll(' の場合', '')
+
+    // Missing `if` in condition checks: `{%- featureData.X %}` → `{%- if featureData.X %}`
+    content = content.replace(
+      /\{%-?\s*((?:featureData|supportLevel|languageData|entry)\.\w+)\s*-?%\}/g,
+      (match, condition) => {
+        const dash = match.startsWith('{%-') ? '{%-' : '{%'
+        const closeDash = match.endsWith('-%}') ? '-%}' : '%}'
+        return `${dash} if ${condition} ${closeDash}`
+      },
+    )
+    // Missing `assign` in assignments: `{%- varName = value %}` (no trailing keyword)
+    content = content.replace(
+      /\{%-?\s*(featureKey|featureData|supportLevel|languageData|groupName|groupVersions)\s*=\s*([^%]+?)-?%\}/g,
+      (match, varName, value) => {
+        const dash = match.startsWith('{%-') ? '{%-' : '{%'
+        const closeDash = match.endsWith('-%}') ? '-%}' : '%}'
+        return `${dash} assign ${varName} = ${value.trim()} ${closeDash}`
+      },
+    )
   }
 
   if (context.code === 'pt') {
@@ -65,6 +187,13 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{{% dados ', '{% data ')
     content = content.replaceAll('{{% datas ', '{% data ')
     content = content.replaceAll('{% senão %}', '{% else %}')
+    content = content.replaceAll('{% mais %}', '{% else %}')
+    content = content.replaceAll('{% se ', '{% if ')
+    content = content.replaceAll('{% atribuir ', '{% assign ')
+    content = content.replaceAll('{% %} bruto', '{% raw %}')
+    content = content.replaceAll('{% %de dados reusables.', '{% data reusables.')
+    content = content.replaceAll('{% %de dados variables.', '{% data variables.')
+    content = content.replaceAll('{% %móvel }', '{% mobile %}')
     // Catch "ou" between any plan names in ifversion/elsif tags
     content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?ou [^%]*?%\}/g, (match) => {
       return match.replace(/ ou /g, ' or ')
@@ -78,6 +207,11 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% 数据可重用s.', '{% data reusables.')
     content = content.replaceAll('{% 其他 %}', '{% else %}')
     content = content.replaceAll('{% 原始 %}', '{% raw %}')
+    // Chinese `如果` = "if": `{ 如果 X %}` → `{% if X %}`
+    content = content.replace(/\{ 如果 /g, '{% if ')
+    // Stray Chinese `，则为` ("then") merged with `{%` before HTML: `，则为 {%<tag>` → `<tag>`
+    // The regex consumes the `<` to avoid producing a double `<<`.
+    content = content.replace(/，则为 \{%</g, '<')
     // Catch "或" between any plan names in ifversion/elsif tags
     content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?或[^%]*?%\}/g, (match) => {
       return match.replace(/ 或 /g, ' or ')
@@ -87,6 +221,7 @@ export function correctTranslatedContentStrings(
   if (context.code === 'ru') {
     content = content.replaceAll('[«AUTOTITLE»](', '[AUTOTITLE](')
     content = content.replaceAll('{% данных variables', '{% data variables')
+    content = content.replaceAll('{% данных, variables', '{% data variables')
     content = content.replaceAll('{% данными variables', '{% data variables')
     content = content.replaceAll('{% данных организации variables', '{% data variables')
     content = content.replaceAll('{% данным variables.', '{% data variables.')
@@ -94,9 +229,24 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% данных reusables', '{% data reusables')
     content = content.replaceAll('{% данные reusables', '{% data reusables')
     content = content.replaceAll('{% данных переменных.', '{% data variables.')
-    content = content.replaceAll('{% данных.product.', '{% data variables.product.')
-    content = content.replaceAll('{% data переменных.product.', '{% data variables.product.')
-    content = content.replaceAll('{% переменным данных.product.', '{% data variables.product.')
+    // Broaden `{% данных.X` → `{% data variables.X` (covers .product., .dependency-review., .code-scanning., etc.)
+    content = content.replaceAll('{% данных.', '{% data variables.')
+    content = content.replaceAll('{% data переменных.', '{% data variables.')
+    content = content.replaceAll('{% переменным данных.', '{% data variables.')
+    // Broader "переменных данных" pattern — covers .dependency-review, .code-scanning, etc.
+    content = content.replaceAll('{% переменных данных.', '{% data variables.')
+    // Dot-prefix paths where `data variables` was entirely dropped
+    content = content.replaceAll('{% .dependency-review.', '{% data variables.dependency-review.')
+    content = content.replaceAll('{% .code-scanning.', '{% data variables.code-scanning.')
+    // Same without space after `{%`
+    content = content.replaceAll('{%.dependency-review.', '{% data variables.dependency-review.')
+    content = content.replaceAll('{%.code-scanning.', '{% data variables.code-scanning.')
+    content = content.replaceAll('{%.copilot.', '{% data variables.copilot.')
+    // Stray `"` between `данных` and `variables`
+    content = content.replaceAll('{% данных" variables', '{% data variables')
+    content = content.replaceAll('{%" variables.', '{% data variables.')
+    // Stray `,` replacing `data`
+    content = content.replaceAll('{%, variables.', '{% data variables.')
     content = content.replaceAll('{% необработанного %}', '{% raw %}')
     content = content.replaceAll('{%- ifversion fpt или ghec %}', '{%- ifversion fpt or ghec %}')
     content = content.replaceAll('{% ifversion fpt или ghec %}', '{% ifversion fpt or ghec %}')
@@ -109,7 +259,23 @@ export function correctTranslatedContentStrings(
     })
     content = content.replaceAll('{% endif _%}', '{% endif %}')
     content = content.replaceAll('{% конечным %}', '{% endif %}')
+    // `{% конец %}` after `{% raw %}` means `{% endraw %}`, not `{% endif %}`.
+    // Handle this BEFORE the generic `{% конец %}` → `{% endif %}` fallback.
+    content = content.replace(/(\{% raw %\}[^]*?)\{% конец %\}/g, '$1{% endraw %}')
     content = content.replaceAll('{% конец %}', '{% endif %}')
+    // Cyrillic transliteration of `elsif` (lossy → else, since version param is lost)
+    content = content.replaceAll('{% Эльсиф %}', '{% else %}')
+    // Translated feature flag names
+    content = content.replaceAll(
+      'обязательный-2fa-dotcom-участник',
+      'mandatory-2fa-dotcom-contributors',
+    )
+    content = content.replaceAll(
+      'обязательный-2fa-участник-2023',
+      'mandatory-2fa-contributors-2023',
+    )
+    // `не` = "not" in ifversion tags
+    content = content.replaceAll('{% ifversion не ', '{% ifversion not ')
     content = content.replaceAll('{% переменных данных.', '{% data variables.')
     content = content.replaceAll('{% повторно используемых данных.', '{% data reusables.')
     content = content.replaceAll('{% примечание %}', '{% note %}')
@@ -118,6 +284,11 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% еще %}', '{% else %}')
     content = content.replaceAll('{% ещё %}', '{% else %}')
     content = content.replaceAll('{% необработанные %}', '{% raw %}')
+    content = content.replaceAll('{% необработанный %}', '{% raw %}')
+    content = content.replaceAll('{% сырой %}', '{% raw %}')
+    content = content.replaceAll('{% нарисовать %}', '{% endraw %}')
+    content = content.replaceAll('{% эндкёрл %}', '{% endcurl %}')
+    content = content.replaceAll('{% запроса %}', '{% endraw %}')
 
     // Fix double quotes in Russian YAML files that cause parsing errors
     content = content.replace(/href=""https:\/\//g, 'href="https://')
@@ -135,6 +306,19 @@ export function correctTranslatedContentStrings(
     )
     content = content.replaceAll('{{ глоссарий.term }}', '{{ glossary.term }}')
     content = content.replaceAll('{{ глоссарий.description }}', '{{ glossary.description }}')
+
+    // Rearranged `{% data VARIABLE_PATH %}` → `VARIABLE_PATH %данн... {% }`
+    // The translation moved `data` (as `данных`/`данными`/`данные`) after the path
+    // and split `%}` into `{% }` or `{%  }`. Reconstruct the original tag.
+    content = content.replace(/([\w.-]+\.[\w.-]+\.[\w_]+) %данн\w*[^{]*\{%\s+\}/g, '{% data $1 %}')
+    // Variant where `%}` appears BEFORE `данных`: `PATH %}данных {% .`
+    content = content.replace(/([\w.-]+\.[\w.-]+\.[\w_]+) %\}данн\w*\s*\{%\s*\./g, '{% data $1 %}.')
+
+    // Translated octicon names
+    content = content.replaceAll(
+      '{% octicon "организация" aria-hidden="true" aria-label="organization" %}',
+      '{% octicon "organization" aria-hidden="true" aria-label="organization" %}',
+    )
   }
 
   if (context.code === 'fr') {
@@ -142,6 +326,10 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% données réutilisables.', '{% data reusables.')
     content = content.replaceAll('{% variables de données.', '{% data variables.')
     content = content.replaceAll('{% autre %}', '{% else %}')
+    content = content.replaceAll('{% brut %}', '{% raw %}')
+    content = content.replaceAll('{% %brut }', '{% raw %}')
+    content = content.replaceAll('{% redessiner %}', '{% endraw %}')
+    content = content.replaceAll('{% données ', '{% data ')
     // Catch remaining "ou" between any plan names in ifversion/elsif tags
     content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?ou [^%]*?%\}/g, (match) => {
       return match.replace(/ ou /g, ' or ')
@@ -155,8 +343,11 @@ export function correctTranslatedContentStrings(
     content = content.replaceAll('{% 데이터 변수.', '{% data variables.')
     content = content.replaceAll('{% 데이터 변숫값.', '{% data variables.')
     content = content.replaceAll('{% dada variables', '{% data variables')
+    // Extra `%` before data: `{% % data` → `{% data`
+    content = content.replaceAll('{% % data', '{% data')
     content = content.replaceAll('{% 기타 %}', '{% else %}')
     content = content.replaceAll('{% 참고 %}', '{% note %}')
+    content = content.replaceAll('{% 원시 %}', '{% raw %}')
     // Catch "또는" between any plan names in ifversion/elsif tags
     content = content.replace(/\{%-? (?:ifversion|elsif) [^%]*?또는[^%]*?%\}/g, (match) => {
       return match.replace(/ 또는 /g, ' or ')
@@ -199,16 +390,90 @@ export function correctTranslatedContentStrings(
   content = content.replaceAll('{{% data reusables.', '{% data reusables.')
   content = content.replaceAll('{{% ifversion ', '{% ifversion ')
   content = content.replaceAll('{{% else %}}', '{% else %}')
+  content = content.replaceAll('{{% elsif ', '{% elsif ')
   content = content.replaceAll('{{% vscode %}}', '{% vscode %}')
   content = content.replaceAll('{{% endvscode %}}', '{% endvscode %}')
   content = content.replaceAll('{{% endvisualstudio %}}', '{% endvisualstudio %}')
 
+  // Double `{% {% ` or `{%{% ` where the tag opener was duplicated.
+  content = content.replaceAll('{% {% ', '{% ')
+  content = content.replaceAll('{%{% ', '{% ')
+
+  // Multiple-percent corruptions: `{%%...` → `{%` and `%%}` → `%}`.
+  content = content.replace(/\{%{2,}/g, '{%')
+  content = content.replaceAll('%%}', '%}')
+
+  // Stray `%` before tag open: `%{% data` → `{% data`
+  content = content.replaceAll('%{% data', '{% data')
+  content = content.replaceAll('%{% ifversion', '{% ifversion')
+
+  // Corrupted `{ endif %}%` → `{% endif %}` (delimiters shuffled)
+  content = content.replaceAll('{ endif %}%', '{% endif %}')
+  // Empty tag `{%}` (no space, no name) — typically `{% else %}`
+  content = content.replace(/\{%\}(?!})/g, '{% else %}')
+  // `{% }` or `{%  }` (tag with just `}` or spaces as name) — almost always `{% endif %}`
+  content = content.replace(/\{%\s+\}/g, '{% endif %}')
+
+  // Missing `%` after opening `{`: `{else %}` → `{% else %}`
+  content = content.replaceAll('{else %}', '{% else %}')
+  content = content.replaceAll('{endif %}', '{% endif %}')
+  // Missing space after `{%`: `{%else %}` → `{% else %}`
+  content = content.replaceAll('{%else %}', '{% else %}')
+
+  // `{%` immediately followed by Markdown bold `**` (missing `else %}`): `{%**` → `{% else %}**`
+  content = content.replaceAll('{%**', '{% else %}**')
+
+  // Markdown bold `**` injected inside Liquid tag closing: `%**}` → `%}**`
+  content = content.replaceAll('%**}', '%}**')
+
+  // Double-brace with missing `data`: `{{% variables.` → `{% data variables.`
+  content = content.replaceAll('{{% variables.', '{% data variables.')
+
+  // Extra closing brace: `%}}` → `%}` (common in Portuguese and other languages)
+  content = content.replaceAll('%}}', '%}')
+
   // Common Latin-script typos across multiple languages.
   content = content.replaceAll('{% variables.', '{% data variables.')
   content = content.replaceAll('{% datavariables', '{% data variables')
 
-  // Fix spaces inside Liquid tag delimiters, e.g. `{ % endif % }` → `{% endif %}`
-  content = content.replace(/\{ +%([^%]+?)% +\}/g, '{%$1%}')
+  // Empty `{% %}` corruptions where the tag name was removed.
+  content = content.replaceAll('{% %} de dados reusables.', '{% data reusables.')
+  content = content.replaceAll('{% %} de dados variables.', '{% data variables.')
+
+  // Fix `{% %}` used as `{% endraw %}` (follows raw content with Liquid expressions).
+  content = content.replace(/(\{% raw %\}[^]*?)\{% %\}/g, '$1{% endraw %}')
+
+  // Fix `{% %}` used as `{% else %}` when it appears between ifversion and
+  // endif on the same line: `{% ifversion X %}A{% %}B{% endif %}`.
+  content = content.replace(
+    /(\{% ifversion [^%]*?%\}[^{]*?)\{% %\}([^{]*?\{% endif %\})/g,
+    '$1{% else %}$2',
+  )
+
+  // Remaining `{% %}` is almost always `{% endif %}`.
+  content = content.replaceAll('{% %}', '{% endif %}')
+
+  // Fix spaces inside Liquid tag delimiters, e.g. `{ % endif % }` or `{ % endif %}`
+  content = content.replace(/\{ +%([^%]+?)% *\}/g, '{%$1%}')
+
+  // Strip stray `{% ` openers that precede non-ASCII text (Cyrillic, CJK, etc.)
+  // after all per-language keyword translations have run. Any remaining
+  // `{% ` followed by a non-ASCII character is never a valid Liquid tag.
+  // eslint-disable-next-line no-control-regex
+  content = content.replace(/\{% (?=[^\x00-\x7F])/g, '')
+
+  // Strip stray `{% .` (dot as tag name) — deeply corrupted data tag remnant.
+  content = content.replace(/\{% \. /g, '')
+
+  // Fix unclosed `{% data ... %}` tags where translated text was injected
+  // between `%` and `}`: e.g. `{% data variables.product.github %las herramientas}`
+  // Insert the missing `}` right after `%` to properly close the tag.
+  content = content.replace(/({% data [\w.-]+ %)(?!})/g, '$1}')
+
+  // Fix unclosed `{% data PATH` where `%}` was completely dropped and
+  // non-ASCII translated text follows directly after the variable path.
+  // eslint-disable-next-line no-control-regex
+  content = content.replace(/({% data [\w.-]+) (?=[^\x00-\x7F])/g, '$1 %} ')
 
   // Recover linebreaks that translations lose after Liquid closing tags.
   // Compares each `{% ... %} ` in the translation against the English
@@ -233,5 +498,13 @@ export function correctTranslatedContentStrings(
   // Collapsed Markdown table rows — restore linebreaks between `|` cells.
   content = content.replaceAll(' | | ', ' |\n| ')
 
+  // Final catch-all: earlier normalizations (e.g. space-in-braces regex) can
+  // recreate `{{% KEYWORD` patterns after the per-keyword fixes already ran.
+  // Strip the extra `{` for known Liquid tag names.
+  content = content.replace(
+    /\{\{(%\s*(?:data |ifversion |elsif |endif|else |else\b|octicon |note|endnote|tip|endtip|raw|endraw|comment|endcomment|for |endfor|assign |vscode|endvscode|visualstudio|endvisualstudio|rowheaders|endrowheaders))/g,
+    '{$1',
+  )
+
   return content
 }
diff --git a/src/languages/tests/correct-translation-content.ts b/src/languages/tests/correct-translation-content.ts
new file mode 100644
index 000000000000..66ab8c8502df
--- /dev/null
+++ b/src/languages/tests/correct-translation-content.ts
@@ -0,0 +1,155 @@
+import { describe, expect, test } from 'vitest'
+
+import { correctTranslatedContentStrings } from '@/languages/lib/correct-translation-content'
+
+function fix(content: string, code: string, englishContent = '') {
+  return correctTranslatedContentStrings(content, englishContent, {
+    code,
+    relativePath: 'test.md',
+  })
+}
+
+describe('correctTranslatedContentStrings', () => {
+  describe('Spanish (es)', () => {
+    test('fixes colon-prefix tags', () => {
+      expect(fix('{%: ifversion ghec %}', 'es')).toBe('{% ifversion ghec %}')
+    })
+
+    test('translates cuando → when in case statements', () => {
+      expect(fix('{%- cuando "supported" %}', 'es')).toBe('{%- when "supported" %}')
+    })
+  })
+
+  describe('Japanese (ja)', () => {
+    test('fixes translated endcase', () => {
+      expect(fix('{%- エンドケース -%}', 'ja')).toBe('{%- endcase -%}')
+    })
+
+    test('adds missing when keyword for English strings', () => {
+      expect(fix('{%- "supported" %}', 'ja')).toBe('{%- when "supported" %}')
+    })
+
+    test('adds missing when keyword for Japanese strings', () => {
+      expect(fix('{%- "サポートされている" %}', 'ja')).toBe('{%- when "supported" %}')
+    })
+
+    test('preserves trim syntax when adding when keyword', () => {
+      expect(fix('{% "supported" %}', 'ja')).toBe('{% when "supported" %}')
+      expect(fix('{%- "supported" %}', 'ja')).toBe('{%- when "supported" %}')
+    })
+
+    test('fixes empty trim tag before C', () => {
+      expect(fix('{%- %}C', 'ja')).toBe('{%- when "closing-down" %}C')
+    })
+
+    test('fixes translated for-loops', () => {
+      const input = '{%- tables.copilot.ides の version -%}'
+      const output = fix(input, 'ja')
+      expect(output).toBe('{%- for version in tables.copilot.ides -%}')
+    })
+
+    test('fixes translated else', () => {
+      expect(fix('{% それ以外の場合 %}', 'ja')).toBe('{% else %}')
+    })
+  })
+
+  describe('Russian (ru)', () => {
+    test('fixes translated data tags', () => {
+      expect(fix('{% данных variables.product.github %}', 'ru')).toBe(
+        '{% data variables.product.github %}',
+      )
+    })
+
+    test('fixes translated else', () => {
+      expect(fix('{% ещё %}', 'ru')).toBe('{% else %}')
+      expect(fix('{% еще %}', 'ru')).toBe('{% else %}')
+    })
+
+    test('fixes translated or in ifversion', () => {
+      expect(fix('{% ifversion fpt или ghec %}', 'ru')).toBe('{% ifversion fpt or ghec %}')
+    })
+
+    test('fixes translated not in ifversion', () => {
+      expect(fix('{% ifversion не ghes %}', 'ru')).toBe('{% ifversion not ghes %}')
+    })
+
+    test('fixes translated raw/endraw', () => {
+      expect(fix('{% необработанный %}', 'ru')).toBe('{% raw %}')
+      expect(fix('{% нарисовать %}', 'ru')).toBe('{% endraw %}')
+    })
+
+    test('handles конец after raw as endraw', () => {
+      const input = '{% raw %}some content{% конец %}'
+      expect(fix(input, 'ru')).toBe('{% raw %}some content{% endraw %}')
+    })
+
+    test('handles конец without raw as endif', () => {
+      expect(fix('{% конец %}', 'ru')).toBe('{% endif %}')
+    })
+
+    test('fixes translated feature flags', () => {
+      expect(fix('обязательный-2fa-dotcom-участник', 'ru')).toBe(
+        'mandatory-2fa-dotcom-contributors',
+      )
+    })
+  })
+
+  describe('Chinese (zh)', () => {
+    test('fixes translated if', () => {
+      expect(fix('{ 如果 ghec %}', 'zh')).toBe('{% if ghec %}')
+    })
+
+    test('fixes stray Chinese then merged with HTML', () => {
+      expect(fix('，则为 {%<div>', 'zh')).toBe('<div>')
+    })
+  })
+
+  describe('Generic fixes', () => {
+    test('fixes double braces', () => {
+      expect(fix('{{% data variables.product.github %}', 'es')).toBe(
+        '{% data variables.product.github %}',
+      )
+    })
+
+    test('fixes double percent in opening', () => {
+      expect(fix('{%% data variables.product.github %}', 'es')).toBe(
+        '{% data variables.product.github %}',
+      )
+    })
+
+    test('fixes missing percent after brace', () => {
+      expect(fix('{else %}', 'es')).toBe('{% else %}')
+      expect(fix('{endif %}', 'es')).toBe('{% endif %}')
+    })
+
+    test('fixes missing space after {%', () => {
+      expect(fix('{%else %}', 'es')).toBe('{% else %}')
+    })
+
+    test('fixes empty tag as else', () => {
+      expect(fix('{%}test', 'es')).toBe('{% else %}test')
+    })
+
+    test('fixes empty tag with space as endif', () => {
+      expect(fix('{% }', 'es')).toBe('{% endif %}')
+    })
+
+    test('fixes bold markup injected in closing', () => {
+      expect(fix('%**}', 'es')).toBe('%}**')
+    })
+
+    test('fixes {%** as else with bold', () => {
+      expect(fix('{%**text**{% endif %}', 'es')).toBe('{% else %}**text**{% endif %}')
+    })
+
+    test('strips stray {% before non-ASCII text', () => {
+      expect(fix('{% Привет мир', 'ru')).toBe('Привет мир')
+    })
+
+    test('recovers linebreaks from English', () => {
+      const en = '{% endif %}\nSome text'
+      const translated = '{% endif %} Some text'
+      expect(fix(translated, 'es', en)).toBe('{% endif %}\nSome text')
+    })
+  })
+})

From a445a89d6c1a6a6572791cee0bd01e38aae5801a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 16 Mar 2026 18:15:55 +0000
Subject: [PATCH 7/8] Bump the npm_and_yarn group across 1 directory with 1
 update (#60225)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 package-lock.json | 35 ++++++-----------------------------
 1 file changed, 6 insertions(+), 29 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 784119de90b7..fc7954f6b925 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5971,9 +5971,9 @@
       }
     },
     "node_modules/cheerio/node_modules/undici": {
-      "version": "7.22.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.22.0.tgz",
-      "integrity": "sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==",
+      "version": "7.24.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.1.tgz",
+      "integrity": "sha512-5xoBibbmnjlcR3jdqtY2Lnx7WbrD/tHlT01TmvqZUFVc9Q1w4+j5hbnapTqbcXITMH1ovjq/W7BkqBilHiVAaA==",
       "license": "MIT",
       "engines": {
         "node": ">=20.18.1"
@@ -7896,29 +7896,6 @@
         "url": "https://opencollective.com/typescript-eslint"
       }
     },
-    "node_modules/eslint-plugin-primer-react/node_modules/balanced-match": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
-      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
-    "node_modules/eslint-plugin-primer-react/node_modules/brace-expansion": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
-      "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
-      "engines": {
-        "node": "18 || 20 || >=22"
-      }
-    },
     "node_modules/eslint-plugin-primer-react/node_modules/eslint-visitor-keys": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-5.0.1.tgz",
@@ -15877,9 +15854,9 @@
       "license": "MIT"
     },
     "node_modules/undici": {
-      "version": "6.23.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
-      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "version": "6.24.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.0.tgz",
+      "integrity": "sha512-lVLNosgqo5EkGqh5XUDhGfsMSoO8K0BAN0TyJLvwNRSl4xWGZlCVYsAIpa/OpA3TvmnM01GWcoKmc3ZWo5wKKA==",
       "license": "MIT",
       "engines": {
         "node": ">=18.17"

From 05461db883bd1b740267986059daf51ac781dd5c Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Mon, 16 Mar 2026 11:52:58 -0700
Subject: [PATCH 8/8] Fix .md landing pages returning empty markdown (#60191)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 src/article-api/middleware/article-body.ts    | 49 +++++--------------
 .../transformers/article-transformer.ts       | 26 ++++++++++
 src/article-api/transformers/index.ts         |  3 ++
 src/frame/middleware/context/context.ts       |  4 ++
 src/frame/middleware/render-page.ts           | 25 ++++++++--
 src/frame/tests/server.ts                     | 34 +++++++++++++
 .../middleware/handle-invalid-paths.ts        |  6 +--
 src/types/types.ts                            |  1 +
 8 files changed, 103 insertions(+), 45 deletions(-)
 create mode 100644 src/article-api/transformers/article-transformer.ts

diff --git a/src/article-api/middleware/article-body.ts b/src/article-api/middleware/article-body.ts
index 0d036386d9f0..9f5ac130d926 100644
--- a/src/article-api/middleware/article-body.ts
+++ b/src/article-api/middleware/article-body.ts
@@ -50,48 +50,23 @@ export async function getArticleBody(req: ExtendedRequestWithPageInfo) {
   // Extract apiVersion from query params if provided
   const apiVersion = req.query.apiVersion as string | undefined
 
-  // Check if there's a transformer for this page type (e.g., REST, webhooks, etc.)
+  // With the catch-all ArticleTransformer registered last,
+  // findTransformer always returns a transformer.
   const transformer = transformerRegistry.findTransformer(page)
+  if (!transformer) throw new Error(`No transformer found for page: ${pathname}`)
 
-  if (transformer) {
-    // Use the transformer for autogenerated pages
-    const renderingReq = await createContextualizedRenderingRequest(pathname, page)
-
-    // Determine the API version to use (provided or latest)
-    // Validation is handled by apiVersionValidationMiddleware
-    const currentVersion = renderingReq.context.currentVersion
-    let effectiveApiVersion = apiVersion
-
-    // Use latest version if not provided
-    if (!effectiveApiVersion && currentVersion && allVersions[currentVersion]) {
-      effectiveApiVersion = allVersions[currentVersion].latestApiVersion || undefined
-    }
-
-    return await transformer.transform(page, pathname, renderingReq.context, effectiveApiVersion)
-  }
-
-  // For regular articles (non-autogenerated)
-  if (page.documentType !== 'article') {
-    throw new Error(`Page ${pathname} isn't yet available in markdown.`)
-  }
-
-  // these parts allow us to render the page
+  // Use the transformer
   const renderingReq = await createContextualizedRenderingRequest(pathname, page)
-  renderingReq.context.markdownRequested = true
-  const content = await page.render(renderingReq.context)
 
-  // Get title and intro for consistency with transformer-based pages
-  const title = page.title
-  const intro = page.intro
-    ? await page.renderProp('intro', renderingReq.context, { textOnly: true })
-    : ''
+  // Determine the API version to use (provided or latest)
+  // Validation is handled by apiVersionValidationMiddleware
+  const currentVersion = renderingReq.context.currentVersion
+  let effectiveApiVersion = apiVersion
 
-  // Prepend title and intro to the content
-  let result = `# ${title}\n\n`
-  if (intro) {
-    result += `${intro}\n\n`
+  // Use latest version if not provided
+  if (!effectiveApiVersion && currentVersion && allVersions[currentVersion]) {
+    effectiveApiVersion = allVersions[currentVersion].latestApiVersion || undefined
   }
-  result += content
 
-  return result
+  return await transformer.transform(page, pathname, renderingReq.context, effectiveApiVersion)
 }
diff --git a/src/article-api/transformers/article-transformer.ts b/src/article-api/transformers/article-transformer.ts
new file mode 100644
index 000000000000..bbe81684dee8
--- /dev/null
+++ b/src/article-api/transformers/article-transformer.ts
@@ -0,0 +1,26 @@
+import type { Context, Page } from '@/types'
+import type { PageTransformer } from './types'
+
+/**
+ * Transformer for regular articles.
+ *
+ * This is a catch-all transformer registered last in the registry.
+ * It renders the page body as markdown and prepends the title and intro.
+ */
+export class ArticleTransformer implements PageTransformer {
+  canTransform(page: Page): boolean {
+    // Catch-all: handles any page not matched by a more specific transformer.
+    return page != null
+  }
+
+  async transform(page: Page, _pathname: string, context: Context): Promise<string> {
+    const body = await page.render({ ...context, markdownRequested: true })
+    const title = page.title
+    const intro = page.intro ? await page.renderProp('intro', context, { textOnly: true }) : ''
+
+    let result = `# ${title}\n\n`
+    if (intro) result += `${intro}\n\n`
+    result += body
+    return result
+  }
+}
diff --git a/src/article-api/transformers/index.ts b/src/article-api/transformers/index.ts
index b65f846dca9f..1c1b90f7b4cb 100644
--- a/src/article-api/transformers/index.ts
+++ b/src/article-api/transformers/index.ts
@@ -17,6 +17,7 @@ import { DiscoveryLandingTransformer } from './discovery-landing-transformer'
 import { ProductGuidesTransformer } from './product-guides-transformer'
 import { ProductLandingTransformer } from './product-landing-transformer'
 import { SearchPageTransformer } from './search-page-transformer'
+import { ArticleTransformer } from './article-transformer'
 
 /**
  * Global transformer registry
@@ -42,6 +43,8 @@ transformerRegistry.register(new DiscoveryLandingTransformer())
 transformerRegistry.register(new ProductGuidesTransformer())
 transformerRegistry.register(new ProductLandingTransformer())
 transformerRegistry.register(new SearchPageTransformer())
+// ArticleTransformer is the catch-all — must be registered last.
+transformerRegistry.register(new ArticleTransformer())
 
 export { TransformerRegistry } from './types'
 export type { PageTransformer } from './types'
diff --git a/src/frame/middleware/context/context.ts b/src/frame/middleware/context/context.ts
index 8fa16fc2e2e4..8cb4feb093b4 100644
--- a/src/frame/middleware/context/context.ts
+++ b/src/frame/middleware/context/context.ts
@@ -43,6 +43,10 @@ export default async function contextualize(
     // req.pagePath is used later in the rendering pipeline to
     // locate the file in the tree so it cannot have .md
     req.pagePath = req.pagePath.replace(/\/index\.md$/, '').replace(/\.md$/, '')
+    req.context.markdownRequested = true
+    // Track that markdown was requested via URL suffix, not Accept header.
+    // This avoids adding a misleading Vary: accept cache header.
+    req.context.markdownViaUrl = true
   }
 
   // define each context property explicitly for code-search friendliness
diff --git a/src/frame/middleware/render-page.ts b/src/frame/middleware/render-page.ts
index 03902f45ec38..e69dc99f8b30 100644
--- a/src/frame/middleware/render-page.ts
+++ b/src/frame/middleware/render-page.ts
@@ -9,6 +9,7 @@ import FailBot from '@/observability/lib/failbot'
 import statsd from '@/observability/lib/statsd'
 import type { ExtendedRequest } from '@/types'
 import { allVersions } from '@/versions/lib/all-versions'
+import { transformerRegistry } from '@/article-api/transformers'
 import { minimumNotFoundHtml } from '../lib/constants'
 import { contentTypeCacheControl, defaultCacheControl } from './cache-control'
 import { isConnectionDropped } from './halt-on-dropped-connection'
@@ -97,8 +98,20 @@ export default async function renderPage(req: ExtendedRequest, res: Response) {
   }
 
   if (!req.context) throw new Error('request not contextualized')
-  req.context.renderedPage = await buildRenderedPage(req)
-  req.context.miniTocItems = buildMiniTocItems(req)
+
+  if (context.markdownRequested) {
+    const transformer = transformerRegistry.findTransformer(page)
+    if (!transformer) throw new Error(`No transformer found for page: ${req.pagePath}`)
+    // Pass context without markdownRequested — transformers set it themselves
+    // when rendering templates. Having it set during prepareTemplateData()
+    // causes renderTitle/renderProp to output markdown instead of HTML,
+    // which breaks the cheerio-based unwrap logic.
+    const transformerContext = { ...context, markdownRequested: false }
+    req.context.renderedPage = await transformer.transform(page, path, transformerContext)
+  } else {
+    req.context.renderedPage = await buildRenderedPage(req)
+    req.context.miniTocItems = buildMiniTocItems(req)
+  }
 
   // Stop processing if the connection was already dropped
   if (isConnectionDropped(req, res)) return
@@ -151,7 +164,13 @@ export default async function renderPage(req: ExtendedRequest, res: Response) {
   }
 
   if (context.markdownRequested) {
-    contentTypeCacheControl(res)
+    if (context.markdownViaUrl) {
+      // .md URL suffix always returns markdown — Vary: accept would be misleading
+      defaultCacheControl(res)
+    } else {
+      // Accept header determines the representation — Vary: accept is correct
+      contentTypeCacheControl(res)
+    }
     return res.type('text/markdown').send(req.context.renderedPage)
   }
 
diff --git a/src/frame/tests/server.ts b/src/frame/tests/server.ts
index bb62313f5f40..e1870a44505a 100644
--- a/src/frame/tests/server.ts
+++ b/src/frame/tests/server.ts
@@ -311,6 +311,40 @@ describe('server', () => {
       expect(res.statusCode).toBe(200)
       expect(res.headers['content-type']).toContain('text/html')
     })
+
+    test('landing page returns non-empty markdown with title via Accept header', async () => {
+      const res = await get('/en/get-started', {
+        headers: {
+          accept: 'text/markdown',
+        },
+      })
+      expect(res.statusCode).toBe(200)
+      expect(res.headers['content-type']).toContain('text/markdown')
+      expect(res.body).toMatch(/^# .+/)
+      // Verify the landing page has content beyond just the title
+      expect(res.body).toMatch(/\n\n/)
+      expect(res.body.split('\n').length).toBeGreaterThan(3)
+    })
+
+    test('.md URL extension returns markdown with correct content type', async () => {
+      const res = await get('/en/get-started.md')
+      expect(res.statusCode).toBe(200)
+      expect(res.headers['content-type']).toContain('text/markdown')
+      expect(res.body).toMatch(/^# .+/)
+    })
+
+    test('/index.md redirects to the page without /index.md', async () => {
+      const res = await get('/en/get-started/index.md')
+      expect(res.statusCode).toBe(302)
+      expect(res.headers.location).toBe('/en/get-started')
+    })
+
+    test('regular article .md URL includes title and intro', async () => {
+      const res = await get('/en/get-started/start-your-journey/hello-world.md')
+      expect(res.statusCode).toBe(200)
+      expect(res.headers['content-type']).toContain('text/markdown')
+      expect(res.body).toMatch(/^# Hello World/)
+    })
   })
 })
 
diff --git a/src/shielding/middleware/handle-invalid-paths.ts b/src/shielding/middleware/handle-invalid-paths.ts
index 0970bd3281cd..e8b8a9adc412 100644
--- a/src/shielding/middleware/handle-invalid-paths.ts
+++ b/src/shielding/middleware/handle-invalid-paths.ts
@@ -87,11 +87,7 @@ export default function handleInvalidPaths(
     defaultCacheControl(res)
     const newUrl = req.originalUrl.replace(req.path, req.path.replace(/\/index\.md$/, ''))
     return res.safeRedirect(newUrl)
-  } else if (req.path.endsWith('.md')) {
-    req.url = req.url.replace(/\.md($|\?)/, '$1')
-    req.originalUrl = req.originalUrl.replace(/\.md($|\?)/, '$1')
-    req.headers.accept = 'text/markdown'
-    return next()
   }
+
   return next()
 }
diff --git a/src/types/types.ts b/src/types/types.ts
index 402a769e756f..f38e15d24c2f 100644
--- a/src/types/types.ts
+++ b/src/types/types.ts
@@ -190,6 +190,7 @@ export type Context = {
   renderedPage?: string
   miniTocItems?: MiniTocItem[]
   markdownRequested?: boolean
+  markdownViaUrl?: boolean
 }
 export type LearningTracks = {
   [group: string]: {