From cce541985e6c143cef501c775daf206ada34c956 Mon Sep 17 00:00:00 2001
From: Daniel Roe <daniel@roe.dev>
Date: Mon, 9 Feb 2026 22:57:17 +0000
Subject: [PATCH] fix: packages with both provenance + trusted publishing
 should be marked as trustedPublisher

resolves https://github.com/npmx-dev/npmx.dev/issues/1292
---
 app/composables/npm/usePackage.ts             |  3 +-
 app/pages/package/[[org]]/[name].vue          |  4 +--
 .../composables/use-package-transform.spec.ts | 31 +++++++++++++++++--
 3 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/app/composables/npm/usePackage.ts b/app/composables/npm/usePackage.ts
index dd89412aa..1bfef0198 100644
--- a/app/composables/npm/usePackage.ts
+++ b/app/composables/npm/usePackage.ts
@@ -20,8 +20,9 @@ function hasTrustedPublisher(version: PackumentVersion): boolean {
 }
 
 function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
-  if (hasAttestations(version)) return 'provenance'
+  // trusted publishing automatically generates provenance attestations
   if (hasTrustedPublisher(version)) return 'trustedPublisher'
+  if (hasAttestations(version)) return 'provenance'
   return 'none'
 }
 
diff --git a/app/pages/package/[[org]]/[name].vue b/app/pages/package/[[org]]/[name].vue
index 7253e8648..23035f990 100644
--- a/app/pages/package/[[org]]/[name].vue
+++ b/app/pages/package/[[org]]/[name].vue
@@ -1099,7 +1099,7 @@ onKeyStroke(
               >
                 <template #trustedPublishing>
                   <a
-                    href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
+                    href="https://docs.npmjs.com/trusted-publishers"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
@@ -1129,7 +1129,7 @@ onKeyStroke(
                 </template>
                 <template #trustedPublishing>
                   <a
-                    href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
+                    href="https://docs.npmjs.com/trusted-publishers"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
diff --git a/test/nuxt/composables/use-package-transform.spec.ts b/test/nuxt/composables/use-package-transform.spec.ts
index fb709179d..48697728b 100644
--- a/test/nuxt/composables/use-package-transform.spec.ts
+++ b/test/nuxt/composables/use-package-transform.spec.ts
@@ -213,7 +213,7 @@ describe('transformPackument', () => {
     expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')?.trustedVersion).toBe('1.0.0')
   })
 
-  it('prefers provenance trust level when both trustedPublisher and attestations exist', () => {
+  it('prefers trustedPublisher trust level when both trustedPublisher and attestations exist', () => {
     const packument = createPackument(
       {
         '1.0.0': createTrustedPublisherWithAttestationsVersion('1.0.0'),
@@ -230,7 +230,34 @@ describe('transformPackument', () => {
 
     const transformed = transformPackument(packument, '1.0.1')
 
-    expect(transformed.versions['1.0.0']?.trustLevel).toBe('provenance')
+    expect(transformed.versions['1.0.0']?.trustLevel).toBe('trustedPublisher')
+  })
+
+  // https://github.com/npmx-dev/npmx.dev/issues/1292
+  it('does not flag false downgrade when trusted publisher version also has attestations', () => {
+    // Trusted publishing automatically generates provenance attestations,
+    // so a version with both should be classified as trustedPublisher, not provenance.
+    const packument = createPackument(
+      {
+        '7.0.0': createTrustedPublisherWithAttestationsVersion('7.0.0'),
+        '7.0.1': createTrustedPublisherWithAttestationsVersion('7.0.1'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-02T00:00:00.000Z',
+        '7.0.0': '2026-01-01T00:00:00.000Z',
+        '7.0.1': '2026-01-02T00:00:00.000Z',
+      },
+      '7.0.1',
+    )
+
+    const transformed = transformPackument(packument, '7.0.1')
+    const infos = toVersionInfos(transformed)
+
+    // Both versions should be trustedPublisher — no downgrade
+    expect(infos.find(v => v.version === '7.0.0')?.trustLevel).toBe('trustedPublisher')
+    expect(infos.find(v => v.version === '7.0.1')?.trustLevel).toBe('trustedPublisher')
+    expect(detectPublishSecurityDowngradeForVersion(infos, '7.0.1')).toBeNull()
   })
 
   it('flags non-direct downgrade chain until trust is restored', () => {