forked from
npmx.dev/npmx.dev
[READ-ONLY]
a fast, modern browser for the npm registry
fix: packages w/ both provenance + trusted publishing -> trustedPublisher (#1302)
authored by
Daniel Roe
and committed by
GitHub
38e0bed9
2751a702
+33
-5
+2
-1
app/composables/npm/usePackage.ts
+2
-1
app/composables/npm/usePackage.ts
···
20
20
}
21
21
22
22
function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
23
+
// trusted publishing automatically generates provenance attestations
24
+
if (hasTrustedPublisher(version)) return 'trustedPublisher'
23
25
if (hasAttestations(version)) return 'provenance'
24
-
if (hasTrustedPublisher(version)) return 'trustedPublisher'
25
26
return 'none'
26
27
}
27
28
+2
-2
app/pages/package/[[org]]/[name].vue
+2
-2
app/pages/package/[[org]]/[name].vue
···
1099
1099
>
1100
1100
<template #trustedPublishing>
1101
1101
<a
1102
-
href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
1102
+
href="https://docs.npmjs.com/trusted-publishers"
1103
1103
target="_blank"
1104
1104
rel="noopener noreferrer"
1105
1105
class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
···
1129
1129
</template>
1130
1130
<template #trustedPublishing>
1131
1131
<a
1132
-
href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
1132
+
href="https://docs.npmjs.com/trusted-publishers"
1133
1133
target="_blank"
1134
1134
rel="noopener noreferrer"
1135
1135
class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
+29
-2
test/nuxt/composables/use-package-transform.spec.ts
+29
-2
test/nuxt/composables/use-package-transform.spec.ts
···
213
213
expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')?.trustedVersion).toBe('1.0.0')
214
214
})
215
215
216
-
it('prefers provenance trust level when both trustedPublisher and attestations exist', () => {
216
+
it('prefers trustedPublisher trust level when both trustedPublisher and attestations exist', () => {
217
217
const packument = createPackument(
218
218
{
219
219
'1.0.0': createTrustedPublisherWithAttestationsVersion('1.0.0'),
···
230
230
231
231
const transformed = transformPackument(packument, '1.0.1')
232
232
233
-
expect(transformed.versions['1.0.0']?.trustLevel).toBe('provenance')
233
+
expect(transformed.versions['1.0.0']?.trustLevel).toBe('trustedPublisher')
234
+
})
235
+
236
+
// https://github.com/npmx-dev/npmx.dev/issues/1292
237
+
it('does not flag false downgrade when trusted publisher version also has attestations', () => {
238
+
// Trusted publishing automatically generates provenance attestations,
239
+
// so a version with both should be classified as trustedPublisher, not provenance.
240
+
const packument = createPackument(
241
+
{
242
+
'7.0.0': createTrustedPublisherWithAttestationsVersion('7.0.0'),
243
+
'7.0.1': createTrustedPublisherWithAttestationsVersion('7.0.1'),
244
+
},
245
+
{
246
+
'created': '2026-01-01T00:00:00.000Z',
247
+
'modified': '2026-01-02T00:00:00.000Z',
248
+
'7.0.0': '2026-01-01T00:00:00.000Z',
249
+
'7.0.1': '2026-01-02T00:00:00.000Z',
250
+
},
251
+
'7.0.1',
252
+
)
253
+
254
+
const transformed = transformPackument(packument, '7.0.1')
255
+
const infos = toVersionInfos(transformed)
256
+
257
+
// Both versions should be trustedPublisher — no downgrade
258
+
expect(infos.find(v => v.version === '7.0.0')?.trustLevel).toBe('trustedPublisher')
259
+
expect(infos.find(v => v.version === '7.0.1')?.trustLevel).toBe('trustedPublisher')
260
+
expect(detectPublishSecurityDowngradeForVersion(infos, '7.0.1')).toBeNull()
234
261
})
235
262
236
263
it('flags non-direct downgrade chain until trust is restored', () => {