fix: packages w/ both provenance + trusted publishing -> trustedPublisher

[danielroe]

resolves #1292

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 9, 2026 10:59pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored		Feb 9, 2026 10:59pm
npmx-lunaria	Ignored		Feb 9, 2026 10:59pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adjusts the trust level evaluation logic for npm packages. The getTrustLevel function now prioritises trustedPublisher status over attestations when determining package trust classification. When a package has both trustedPublisher and attestations, it is now classified as 'trustedPublisher' rather than 'provenance'. A comment is added documenting that trusted publishing automatically generates provenance attestations. Documentation references are updated to point to current npm docs URLs. Test cases are updated to reflect the new classification behaviour and validate that no trust downgrade is incorrectly flagged when both versions have trustedPublisher status with attestations.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description references issue #1292, which directly relates to the changeset addressing trust downgrade false positives.
Linked Issues check	✅ Passed	The changes address both key objectives: prioritising trustedPublisher in getTrustLevel logic [1] and fixing the documentation link [2].
Out of Scope Changes check	✅ Passed	All changes directly address the linked issue: logic reordering to prioritise trustedPublisher, documentation link updates, and corresponding test adjustments.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/trusted-publishing

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[remcohaszing]

This isn’t necessarily true.

For eslint-formatter-gitlab:

Version	Provenance	Trusted publishing
7.0.1	✓	✓
7.0.0		✓
5.0.0 - 6.0.1	✓
1.0.0 - 4.0.0

For GitLab, this adds provenance:

  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore

And this is needed for trusted publishing:

  id_tokens:
    NPM_ID_TOKEN:
      aud: npm:registry.npmjs.org

For GitHub this is a bit harder to mess up.

[danielroe]

I was aware but thought that, regardless, trusted publishing was a stronger trust signal