Skip to content

feat: add support for npm package trust evidence check via a new trustPolicy setting #10103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zkochan merged 19 commits into from
Nov 9, 2025
Merged

feat: add support for npm package trust evidence check via a new trustPolicy setting #10103

zkochan merged 19 commits into from
Nov 9, 2025

Conversation

@ryo-manba
Copy link
Member

@ryo-manba ryo-manba commented Oct 18, 2025
edited by zkochan
Loading

Fixes #8889

Added support for npm package attestation check.
When trustPolicy is set to no-downgrade, installation will fail if provenance downgrade is detected.

Detect provenance downgrading:

  • From trusted publisher to provenance only
  • From trusted publisher to none
  • From provenance only to none

References

@ryo-manba ryo-manba marked this pull request as ready for review October 18, 2025 07:46
@ryo-manba ryo-manba requested a review from zkochan as a code owner October 18, 2025 07:46
@ryo-manba
Copy link
Member Author

ryo-manba commented Nov 7, 2025

Hi @zkochan, When you have a moment, could you review this PR?
I also have a few other PRs pending for a while.
Happy to help if there’s anything I can do.
Thanks!

@zkochan
Copy link
Member

zkochan commented Nov 7, 2025

I have left a comment in the related issue: #8889 (comment)

zkochan
zkochan requested changes Nov 8, 2025
View reviewed changes
@zkochan
Copy link
Member

zkochan commented Nov 8, 2025

When attestation check is set to true, the full metadata should be requested. Similar to how it is done when minimumReleaseAge is set. Otherwise, the "time" field will not be present in the metadata.

@ryo-manba ryo-manba requested a review from zkochan November 9, 2025 08:22
zkochan
zkochan reviewed Nov 9, 2025
View reviewed changes
@zkochan zkochan requested a review from Copilot November 9, 2025 17:32

This comment was marked as outdated.

Sign in to view

@zkochan zkochan mentioned this pull request Nov 9, 2025
Closed
1 task
@zkochan zkochan changed the title feat: add support for npm package attestation check feat: add support for npm package trust evidence check via a new trustPolicy setting Nov 9, 2025
@zkochan zkochan requested review from Copilot and zkochan November 9, 2025 21:04
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zkochan zkochan requested a review from Copilot November 9, 2025 21:21
Copilot AI reviewed Nov 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zkochan zkochan merged commit 10bc391 into pnpm:main Nov 9, 2025
13 of 17 checks passed
zkochan added a commit that referenced this pull request Nov 9, 2025
@ryo-manba @zkochan
feat: add support for npm package trust evidence check via a new trus…
68ad086 
…tPolicy setting (#10103)

close #8889

---------

Co-authored-by: Zoltan Kochan <[email protected]>
@ryo-manba ryo-manba deleted the feat/attestation-check branch November 10, 2025 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkochan zkochan zkochan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] An option to forbidden packages to upgrade from a attested version to a unattested version

2 participants

@ryo-manba @zkochan