Skip to content

fix: packages w/ both provenance + trusted publishing -> trustedPublisher #1302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
danielroe merged 1 commit into from
Feb 9, 2026
Merged

fix: packages w/ both provenance + trusted publishing -> trustedPublisher #1302

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion app/composables/npm/usePackage.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ function hasTrustedPublisher(version: PackumentVersion): boolean {
}

function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
if (hasAttestations(version)) return 'provenance'
// trusted publishing automatically generates provenance attestations
Copy link
Copy Markdown

@remcohaszing remcohaszing Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn’t necessarily true.

For eslint-formatter-gitlab:

Version Provenance Trusted publishing
7.0.1
7.0.0
5.0.0 - 6.0.1
1.0.0 - 4.0.0

For GitLab, this adds provenance:

  id_tokens:
    SIGSTORE_ID_TOKEN:
      aud: sigstore

And this is needed for trusted publishing:

  id_tokens:
    NPM_ID_TOKEN:
      aud: npm:registry.npmjs.org

For GitHub this is a bit harder to mess up.

Copy link
Copy Markdown
Member Author

@danielroe danielroe Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was aware but thought that, regardless, trusted publishing was a stronger trust signal

if (hasTrustedPublisher(version)) return 'trustedPublisher'
if (hasAttestations(version)) return 'provenance'
return 'none'
}

Expand Down
4 changes: 2 additions & 2 deletions app/pages/package/[[org]]/[name].vue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1099,7 +1099,7 @@ onKeyStroke(
>
<template #trustedPublishing>
<a
href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
href="https://docs.npmjs.com/trusted-publishers"
target="_blank"
rel="noopener noreferrer"
class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
Expand Down Expand Up @@ -1129,7 +1129,7 @@ onKeyStroke(
</template>
<template #trustedPublishing>
<a
href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
href="https://docs.npmjs.com/trusted-publishers"
target="_blank"
rel="noopener noreferrer"
class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
Expand Down
31 changes: 29 additions & 2 deletions test/nuxt/composables/use-package-transform.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ describe('transformPackument', () => {
expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')?.trustedVersion).toBe('1.0.0')
})

it('prefers provenance trust level when both trustedPublisher and attestations exist', () => {
it('prefers trustedPublisher trust level when both trustedPublisher and attestations exist', () => {
const packument = createPackument(
{
'1.0.0': createTrustedPublisherWithAttestationsVersion('1.0.0'),
Expand All @@ -230,7 +230,34 @@ describe('transformPackument', () => {

const transformed = transformPackument(packument, '1.0.1')

expect(transformed.versions['1.0.0']?.trustLevel).toBe('provenance')
expect(transformed.versions['1.0.0']?.trustLevel).toBe('trustedPublisher')
})

// https://github.com/npmx-dev/npmx.dev/issues/1292
it('does not flag false downgrade when trusted publisher version also has attestations', () => {
// Trusted publishing automatically generates provenance attestations,
// so a version with both should be classified as trustedPublisher, not provenance.
const packument = createPackument(
{
'7.0.0': createTrustedPublisherWithAttestationsVersion('7.0.0'),
'7.0.1': createTrustedPublisherWithAttestationsVersion('7.0.1'),
},
{
'created': '2026-01-01T00:00:00.000Z',
'modified': '2026-01-02T00:00:00.000Z',
'7.0.0': '2026-01-01T00:00:00.000Z',
'7.0.1': '2026-01-02T00:00:00.000Z',
},
'7.0.1',
)

const transformed = transformPackument(packument, '7.0.1')
const infos = toVersionInfos(transformed)

// Both versions should be trustedPublisher — no downgrade
expect(infos.find(v => v.version === '7.0.0')?.trustLevel).toBe('trustedPublisher')
expect(infos.find(v => v.version === '7.0.1')?.trustLevel).toBe('trustedPublisher')
expect(detectPublishSecurityDowngradeForVersion(infos, '7.0.1')).toBeNull()
})

it('flags non-direct downgrade chain until trust is restored', () => {
Expand Down
Loading