fix: rank trusted publishing higher and update wording

Author: danielroe

app/pages/package/[[org]]/[name].vue

@@ -1054,25 +1054,43 @@ onKeyStroke(
               {{ $t('package.security_downgrade.title') }}
             </h3>
             <p class="mt-2 mb-0 text-sm">
-              {{ $t('package.security_downgrade.description') }}
-            </p>
-            <p v-if="publishSecurityDowngrade.trustedVersion" class="mt-2 mb-0 text-sm">
-              {{
-                $t('package.security_downgrade.fallback_install', {
-                  version: publishSecurityDowngrade.trustedVersion,
-                })
-              }}
-            </p>
-            <p class="mt-2 mb-0 text-sm">
-              <a
-                href="https://docs.npmjs.com/generating-provenance-statements"
-                target="_blank"
-                rel="noopener noreferrer"
-                class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
+              <i18n-t
+                :keypath="`package.security_downgrade.description_to_${publishSecurityDowngrade.downgradedTrustLevel}_${publishSecurityDowngrade.trustedTrustLevel}`"
+                tag="span"
+                scope="global"
               >
-                {{ $t('package.security_downgrade.learn_more') }}
-                <span class="i-carbon-launch w-3 h-3" aria-hidden="true" />
-              </a>
+                <template #provenance>
+                  <a
+                    href="https://docs.npmjs.com/generating-provenance-statements"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
+                    >{{ $t('package.security_downgrade.provenance_link_text')
+                    }}<span class="i-carbon-launch w-3 h-3" aria-hidden="true"
+                  /></a>
+                </template>
+                <template #trustedPublishing>
+                  <a
+                    href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
+                    >{{ $t('package.security_downgrade.trusted_publishing_link_text')
+                    }}<span class="i-carbon-launch w-3 h-3" aria-hidden="true"
+                  /></a>
+                </template>
+              </i18n-t>
+              {{ ' ' }}
+              <template v-if="publishSecurityDowngrade.trustedVersion">
+                {{
+                  $t(
+                    `package.security_downgrade.fallback_install_${publishSecurityDowngrade.trustedTrustLevel}`,
+                    {
+                      version: publishSecurityDowngrade.trustedVersion,
+                    },
+                  )
+                }}
+              </template>
             </p>
           </div>
           <TerminalInstall

app/utils/publish-security.ts

@@ -4,28 +4,31 @@ import { compare, major } from 'semver'
 export interface PublishSecurityDowngrade {
   downgradedVersion: string
   downgradedPublishedAt?: string
+  downgradedTrustLevel: PublishTrustLevel
   /** Recommended trusted version within the same major, if one exists */
   trustedVersion?: string
   trustedPublishedAt?: string
+  trustedTrustLevel: PublishTrustLevel
 }
 
 type VersionWithIndex = PackageVersionInfo & {
   index: number
   timestamp: number
   trustRank: number
+  resolvedTrustLevel: PublishTrustLevel
 }
 
 const TRUST_RANK: Record<PublishTrustLevel, number> = {
   none: 0,
-  trustedPublisher: 1,
-  provenance: 2,
+  provenance: 1,
+  trustedPublisher: 2,
 }
 
-function getTrustRank(version: PackageVersionInfo): number {
-  if (version.trustLevel) return TRUST_RANK[version.trustLevel]
+function resolveTrustLevel(version: PackageVersionInfo): PublishTrustLevel {
+  if (version.trustLevel) return version.trustLevel
   // Fallback for legacy data: hasProvenance only indicates non-'none' trust,
-  // so map it to trustedPublisher (the lower rank) to avoid over-ranking
-  return version.hasProvenance ? TRUST_RANK.trustedPublisher : TRUST_RANK.none
+  // so map it to provenance (the lower rank) to avoid over-ranking
+  return version.hasProvenance ? 'provenance' : 'none'
 }
 
 function toTimestamp(time?: string): number {
@@ -65,12 +68,16 @@ export function detectPublishSecurityDowngradeForVersion(
   if (versions.length < 2 || !viewedVersion) return null
 
   const sorted = versions
-    .map((version, index) => ({
-      ...version,
-      index,
-      timestamp: toTimestamp(version.time),
-      trustRank: getTrustRank(version),
-    }))
+    .map((version, index) => {
+      const resolvedTrustLevel = resolveTrustLevel(version)
+      return {
+        ...version,
+        index,
+        timestamp: toTimestamp(version.time),
+        trustRank: TRUST_RANK[resolvedTrustLevel],
+        resolvedTrustLevel,
+      }
+    })
     .sort(sortByRecency)
 
   const currentIndex = sorted.findIndex(version => version.version === viewedVersion)
@@ -108,7 +115,9 @@ export function detectPublishSecurityDowngradeForVersion(
   return {
     downgradedVersion: current.version,
     downgradedPublishedAt: current.time,
+    downgradedTrustLevel: current.resolvedTrustLevel,
     trustedVersion: recommendation?.version,
     trustedPublishedAt: recommendation?.time,
+    trustedTrustLevel: strongestOlder.resolvedTrustLevel,
   }
 }

i18n/locales/en.json

@@ -257,10 +257,14 @@
       "error_loading": "Failed to load provenance details"
     },
     "security_downgrade": {
-      "title": "Provenance downgrade",
-      "description": "An older version of this package was published with provenance or trusted publishing. This version was published without it.",
-      "fallback_install": "Install commands below are pinned to version {version}, which was published with a stronger trust method.",
-      "learn_more": "Learn more about provenance"
+      "title": "Trust downgrade",
+      "description_to_none_provenance": "This version was published without {provenance}.",
+      "description_to_none_trustedPublisher": "This version was published without {trustedPublishing}.",
+      "description_to_provenance_trustedPublisher": "This version uses {provenance} but not {trustedPublishing}.",
+      "fallback_install_provenance": "Install commands are pinned to {version}, the last version with provenance.",
+      "fallback_install_trustedPublisher": "Install commands are pinned to {version}, the last version with trusted publishing.",
+      "provenance_link_text": "provenance",
+      "trusted_publishing_link_text": "trusted publishing"
     },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",

i18n/schema.json

@@ -772,6 +772,36 @@
           },
           "additionalProperties": false
         },
+        "security_downgrade": {
+          "type": "object",
+          "properties": {
+            "title": {
+              "type": "string"
+            },
+            "description_to_none_provenance": {
+              "type": "string"
+            },
+            "description_to_none_trustedPublisher": {
+              "type": "string"
+            },
+            "description_to_provenance_trustedPublisher": {
+              "type": "string"
+            },
+            "fallback_install_provenance": {
+              "type": "string"
+            },
+            "fallback_install_trustedPublisher": {
+              "type": "string"
+            },
+            "provenance_link_text": {
+              "type": "string"
+            },
+            "trusted_publishing_link_text": {
+              "type": "string"
+            }
+          },
+          "additionalProperties": false
+        },
         "keywords_title": {
           "type": "string"
         },

lunaria/files/en-GB.json

@@ -256,10 +256,14 @@
       "error_loading": "Failed to load provenance details"
     },
     "security_downgrade": {
-      "title": "Provenance downgrade",
-      "description": "An older version of this package was published with provenance or trusted publishing. This version was published without it.",
-      "fallback_install": "Install commands below are pinned to version {version}, which was published with a stronger trust method.",
-      "learn_more": "Learn more about provenance"
+      "title": "Trust downgrade",
+      "description_to_none_provenance": "This version was published without {provenance}.",
+      "description_to_none_trustedPublisher": "This version was published without {trustedPublishing}.",
+      "description_to_provenance_trustedPublisher": "This version uses {provenance} but not {trustedPublishing}.",
+      "fallback_install_provenance": "Install commands are pinned to {version}, the last version with provenance.",
+      "fallback_install_trustedPublisher": "Install commands are pinned to {version}, the last version with trusted publishing.",
+      "provenance_link_text": "provenance",
+      "trusted_publishing_link_text": "trusted publishing"
     },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",

lunaria/files/en-US.json

@@ -256,10 +256,14 @@
       "error_loading": "Failed to load provenance details"
     },
     "security_downgrade": {
-      "title": "Provenance downgrade",
-      "description": "An older version of this package was published with provenance or trusted publishing. This version was published without it.",
-      "fallback_install": "Install commands below are pinned to version {version}, which was published with a stronger trust method.",
-      "learn_more": "Learn more about provenance"
+      "title": "Trust downgrade",
+      "description_to_none_provenance": "This version was published without {provenance}.",
+      "description_to_none_trustedPublisher": "This version was published without {trustedPublishing}.",
+      "description_to_provenance_trustedPublisher": "This version uses {provenance} but not {trustedPublishing}.",
+      "fallback_install_provenance": "Install commands are pinned to {version}, the last version with provenance.",
+      "fallback_install_trustedPublisher": "Install commands are pinned to {version}, the last version with trusted publishing.",
+      "provenance_link_text": "provenance",
+      "trusted_publishing_link_text": "trusted publishing"
     },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",

test/nuxt/composables/use-package-transform.spec.ts

@@ -182,8 +182,10 @@ describe('transformPackument', () => {
     expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')).toEqual({
       downgradedVersion: '1.0.1',
       downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      downgradedTrustLevel: 'none',
       trustedVersion: '1.0.0',
       trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+      trustedTrustLevel: 'provenance',
     })
   })
 

test/unit/app/utils/publish-security.spec.ts

@@ -30,25 +30,27 @@ describe('detectPublishSecurityDowngradeForVersion', () => {
     expect(result).toEqual({
       downgradedVersion: '1.0.1',
       downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      downgradedTrustLevel: 'none',
       trustedVersion: '1.0.0',
       trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+      trustedTrustLevel: 'provenance',
     })
   })
 
-  it('flags trust downgrade from provenance to trustedPublisher', () => {
+  it('flags trust downgrade from trustedPublisher to provenance', () => {
     const result = detectPublishSecurityDowngradeForVersion(
       [
         {
           version: '1.0.0',
           time: '2026-01-01T00:00:00.000Z',
           hasProvenance: true,
-          trustLevel: 'provenance',
+          trustLevel: 'trustedPublisher',
         },
         {
           version: '1.0.1',
           time: '2026-01-02T00:00:00.000Z',
           hasProvenance: true,
-          trustLevel: 'trustedPublisher',
+          trustLevel: 'provenance',
         },
       ],
       '1.0.1',
@@ -57,11 +59,35 @@ describe('detectPublishSecurityDowngradeForVersion', () => {
     expect(result).toEqual({
       downgradedVersion: '1.0.1',
       downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      downgradedTrustLevel: 'provenance',
       trustedVersion: '1.0.0',
       trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+      trustedTrustLevel: 'trustedPublisher',
     })
   })
 
+  it('does not flag upgrade from provenance to trustedPublisher', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'trustedPublisher',
+        },
+      ],
+      '1.0.1',
+    )
+
+    expect(result).toBeNull()
+  })
+
   it('flags ongoing downgraded versions until an upgrade happens', () => {
     const versions = [
       {
@@ -216,29 +242,61 @@ describe('detectPublishSecurityDowngradeForVersion', () => {
     expect(result?.trustedVersion).toBe('2.0.0')
   })
 
-  it('uses trustedPublisher rank (not provenance) for hasProvenance fallback without trustLevel', () => {
-    // When trustLevel is absent, hasProvenance: true should map to trustedPublisher rank,
-    // not provenance rank. This means a version with only hasProvenance: true should NOT
-    // be considered a downgrade from trustedPublisher.
+  it('uses provenance rank (not trustedPublisher) for hasProvenance fallback without trustLevel', () => {
+    // When trustLevel is absent, hasProvenance: true should map to provenance rank,
+    // not trustedPublisher rank. This means a version with only hasProvenance: true
+    // should be considered a downgrade from trustedPublisher.
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'trustedPublisher',
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          // no trustLevel — fallback path maps to provenance
+        },
+      ],
+      '1.0.1',
+    )
+
+    // hasProvenance fallback maps to provenance (rank 1), trustedPublisher is rank 2, so this is a downgrade
+    expect(result).toEqual({
+      downgradedVersion: '1.0.1',
+      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      downgradedTrustLevel: 'provenance',
+      trustedVersion: '1.0.0',
+      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+      trustedTrustLevel: 'trustedPublisher',
+    })
+  })
+
+  it('does not flag hasProvenance fallback against provenance trustLevel', () => {
+    // When trustLevel is absent, hasProvenance: true maps to provenance rank.
+    // An explicit provenance trustLevel is the same rank, so no downgrade.
     const result = detectPublishSecurityDowngradeForVersion(
       [
         {
           version: '1.0.0',
           time: '2026-01-01T00:00:00.000Z',
           hasProvenance: true,
-          // no trustLevel — fallback path
+          // no trustLevel — fallback path maps to provenance
         },
         {
           version: '1.0.1',
           time: '2026-01-02T00:00:00.000Z',
           hasProvenance: true,
-          trustLevel: 'trustedPublisher',
+          trustLevel: 'provenance',
         },
       ],
       '1.0.1',
     )
 
-    // Both should be treated as trustedPublisher rank, so no downgrade
+    // Both are provenance rank, so no downgrade
     expect(result).toBeNull()
   })
 })