Skip to content

fix: packages w/ both provenance + trusted publishing -> trustedPublisher #1302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danielroe merged 1 commit into from
Feb 9, 2026
Merged

fix: packages w/ both provenance + trusted publishing -> trustedPublisher #1302

danielroe merged 1 commit into from
Feb 9, 2026
+33 −5

Conversation

@danielroe
Copy link
Member

@danielroe danielroe commented Feb 9, 2026

resolves #1292

@vercel
Copy link

vercel bot commented Feb 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
npmx.dev Ready Ready Preview, Comment Feb 9, 2026 10:59pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
docs.npmx.dev Ignored Ignored Feb 9, 2026 10:59pm
npmx-lunaria Ignored Ignored Feb 9, 2026 10:59pm

Request Review

@codecov
Copy link

codecov bot commented Feb 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 9, 2026

📝 Walkthrough

Walkthrough

This pull request adjusts the trust level evaluation logic for npm packages. The getTrustLevel function now prioritises trustedPublisher status over attestations when determining package trust classification. When a package has both trustedPublisher and attestations, it is now classified as 'trustedPublisher' rather than 'provenance'. A comment is added documenting that trusted publishing automatically generates provenance attestations. Documentation references are updated to point to current npm docs URLs. Test cases are updated to reflect the new classification behaviour and validate that no trust downgrade is incorrectly flagged when both versions have trustedPublisher status with attestations.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The PR description references issue #1292, which directly relates to the changeset addressing trust downgrade false positives.
Linked Issues check ✅ Passed The changes address both key objectives: prioritising trustedPublisher in getTrustLevel logic [1] and fixing the documentation link [2].
Out of Scope Changes check ✅ Passed All changes directly address the linked issue: logic reordering to prioritise trustedPublisher, documentation link updates, and corresponding test adjustments.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/trusted-publishing

No actionable comments were generated in the recent review. 🎉

Comment @coderabbitai help to get the list of available commands and usage tips.

@danielroe danielroe merged commit 38e0bed into main Feb 9, 2026
20 checks passed
@danielroe danielroe deleted the fix/trusted-publishing branch February 9, 2026 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positive trust downgrade

1 participant

@danielroe