feat: detect npm publish security downgrade

[wojtekmaj]

Closes #534

Example:

This is a perfect example - an older version was indeed "downgraded":

https://npmxdev-git-fork-wojtekmaj-downgrade-detection-poetry.vercel.app/package/ts-api-utils/v/2.1.1

But the latest got an "upgrade" again:

https://npmxdev-git-fork-wojtekmaj-downgrade-detection-poetry.vercel.app/package/ts-api-utils/v/2.4.0

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 9, 2026 10:55am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 9, 2026 10:55am
npmx-lunaria	Ignored		Feb 9, 2026 10:55am

[github-actions]

Lunaria Status Overview

🌕 This pull request will trigger status changes.

Learn more

By default, every PR changing files present in the Lunaria configuration's files property will be considered and trigger status changes accordingly.

You can change this by adding one of the keywords present in the ignoreKeywords property in your Lunaria configuration file in the PR's title (ignoring all files) or by including a tracker directive in the merged commit's description.

Tracked Files

File	Note
lunaria/files/en-GB.json	Localization changed, will be marked as complete. 🔄️
lunaria/files/en-US.json	Source changed, localizations will be marked as outdated.

Warnings reference

Icon	Description
🔄️	The source for this localization has been updated since the creation of this pull request, make sure all changes in the source have been applied.

[codecov]

Codecov Report

❌ Patch coverage is 60.82474% with 38 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
app/pages/package/[[org]]/[name].vue	5.88%	25 Missing and 7 partials ⚠️
app/utils/publish-security.ts	88.09%	2 Missing and 3 partials ⚠️
app/components/Terminal/Install.vue	50.00%	0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds detection and UI for npm publish security downgrades and a way to prefer a previously trusted version when installing. Key changes: new publish-security utility with downgrade-detection API; package transform and shared types extended to include per-version trust metadata and optional securityVersions; Install component and useInstallCommand updated to accept an installVersionOverride which takes precedence over requestedVersion; package page shows downgrade alerts and supplies the override to install UI; i18n/schema entries and tests added for the new behaviours.

Possibly related PRs

• refactor: separate npm composables #827: Refactors npm composables and types; aligns with this PR’s changes to transformPackument, securityVersions, and trustLevel additions.
• feat: add provenance to end of README and provenance badge #436: Introduced provenance/trust metadata and provenance UI that this change builds upon for downgrade detection and messaging.
• feat: unifying npm registry requests with caching #641: Modifies npm composables (usePackage fetching) overlapping the same files and composable surface changed here.

Suggested reviewers

• wojtekmaj

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description clearly references issue #534 and provides concrete examples showing security downgrade detection implementation with before/after states.
Linked Issues check	✅ Passed	All objectives from issue #534 are implemented: security downgrade detection logic, prominent red alert banner, and install command pinning to trusted versions.
Out of Scope Changes check	✅ Passed	All changes are directly related to security downgrade detection and display, with no unrelated modifications outside the stated PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR implements a security downgrade detection feature that warns users when an npm package version was published without provenance after previous versions had provenance. This addresses supply-chain security concerns by alerting users to potential compromises.

Changes:

• Added security downgrade detection utilities that compare provenance status across package versions
• Implemented a prominent warning banner in the package installation UI when a downgrade is detected
• Modified install commands to default to the last trusted version when viewing a downgraded version
• Added comprehensive test coverage for the detection logic
• Added i18n strings in English locales for the security warning messages

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
app/utils/publish-security.ts	Core detection logic for identifying security downgrades by comparing provenance across versions
test/unit/app/utils/publish-security.spec.ts	Comprehensive unit tests covering main scenarios and edge cases
app/pages/package/[...package].vue	Integration of downgrade detection with warning banner and version override logic
app/composables/useInstallCommand.ts	Added optional installVersionOverride parameter to support pinning to trusted versions
app/components/Terminal/Install.vue	Passes through installVersionOverride prop to support version pinning
test/nuxt/composables/use-install-command.spec.ts	Test coverage for the version override functionality
i18n/locales/en.json, lunaria/files/en-US.json, lunaria/files/en-GB.json	Warning message strings for the security banner

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/unit/app/utils/publish-security.spec.ts (1)

7-63: LGTM! Core scenarios are well covered.

The tests verify the three primary outcomes: downgrade detected, latest is trusted, and no trusted history.

Consider adding edge case tests for robustness:

• Empty array input (should return null)
• Single version input (should return null)
• Versions with missing/invalid time fields (to verify timestamp fallback logic)

📝 Example edge case tests

it('returns null for empty versions array', () => {
  const result = detectPublishSecurityDowngrade([])
  expect(result).toBeNull()
})

it('returns null for single version', () => {
  const result = detectPublishSecurityDowngrade([
    { version: '1.0.0', time: '2026-01-01T00:00:00.000Z', hasProvenance: false },
  ])
  expect(result).toBeNull()
})

it('handles versions with missing timestamps', () => {
  const result = detectPublishSecurityDowngrade([
    { version: '1.0.0', hasProvenance: true },
    { version: '1.0.1', hasProvenance: false },
  ])
  // Should still detect downgrade using semver ordering
  expect(result).toEqual({
    downgradedVersion: '1.0.1',
    downgradedPublishedAt: undefined,
    trustedVersion: '1.0.0',
    trustedPublishedAt: undefined,
  })
})

app/composables/useInstallCommand.ts (1)

34-44: Minor duplication of version resolution logic.

The version resolution pattern (toValue(installVersionOverride) ?? toValue(requestedVersion)) is repeated in both installCommandParts and installCommand. This is acceptable for clarity, but if this pattern grows in usage, consider extracting it to a computed ref.

♻️ Optional refactor to reduce duplication

+  const resolvedVersion = computed(() =>
+    toValue(installVersionOverride) ?? toValue(requestedVersion)
+  )
+
   const installCommandParts = computed(() => {
     const name = toValue(packageName)
     if (!name) return []
-    const version = toValue(installVersionOverride) ?? toValue(requestedVersion)
     return getInstallCommandParts({
       packageName: name,
       packageManager: selectedPM.value,
-      version,
+      version: resolvedVersion.value,
       jsrInfo: toValue(jsrInfo),
     })
   })

   const installCommand = computed(() => {
     const name = toValue(packageName)
     if (!name) return ''
-    const version = toValue(installVersionOverride) ?? toValue(requestedVersion)
     return getInstallCommand({
       packageName: name,
       packageManager: selectedPM.value,
-      version,
+      version: resolvedVersion.value,
       jsrInfo: toValue(jsrInfo),
     })
   })

[ghostdevv]

Perhaps it should also include trusted publisher, both e18e and pnpm have logic like that

• https://github.com/pnpm/pnpm/blob/c494de3a184b25dfeac1149d0dcf293b06369500/resolving/npm-resolver/src/trustChecks.ts#L118-L126
• https://github.com/e18e/action-dependency-diff/blob/af08a5a8724dcd9ca3dd2efbdc70bb07bfffc191/src/npm.ts#L34-L42

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/composables/npm/usePackage.ts (1)

87-96: ⚠️ Potential issue | 🟠 Major

Same hasProvenance semantic issue in filtered versions.

Line 87 uses hasPublishTrustEvidence(version) which includes trusted-publisher evidence, again conflating it with provenance for the hasProvenance field on SlimVersion.

🐛 Proposed fix — use attestation-only check for hasProvenance

-      const hasProvenance = hasPublishTrustEvidence(version)
+      const provenance = hasAttestations(version)
       const trustLevel = getTrustLevel(version)

       filteredVersions[v] = {
-        hasProvenance,
+        hasProvenance: provenance,
         trustLevel,

🧹 Nitpick comments (3)

app/composables/npm/usePackage.ts (1)

59-68: securityVersions includes every version — potential payload bloat for large packages.

Unlike filteredVersions which is pruned to ~5 recent + dist-tags, securityVersions maps over all pkg.versions. Popular packages can have hundreds or thousands of versions, and this array is shipped to every client in the initial SSR payload.

Consider whether the downgrade detection logic could run server-side and only ship the result (or a trimmed window of versions) to the client.

app/utils/publish-security.ts (1)

55-87: detectPublishSecurityDowngrade does not skip deprecated versions.

A deprecated version that happens to be the newest by timestamp will be flagged as the "downgraded" version. Users seeing a deprecation notice and a security downgrade banner simultaneously may be confusing. Consider whether deprecated versions should be excluded from the "latest" candidate or documented as intentional.

app/pages/package/[...package].vue (1)

148-159: Fallback path derives security metadata from filtered versions only — downgrade detection may miss evidence.

When securityVersions is not populated (e.g. client-side rehydration edge cases), the fallback on line 152 iterates pkg.value.versions, which only contains ~5 recent versions + dist-tag versions. If the trusted older version falls outside that window, detectPublishSecurityDowngradeForVersion will return null and the warning won't appear.

This is a graceful degradation (no false positive), but it's worth documenting or logging when the fallback is hit so it's clear why the banner might not show in certain scenarios.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

hasProvenance conflates trusted-publisher evidence with attestation provenance.

On line 64, hasProvenance: trustLevel !== 'none' means a version published via a trusted publisher (OIDC) but without SLSA attestations is marked as hasProvenance: true. This is semantically incorrect — "provenance" specifically refers to verifiable build attestations, not publisher identity trust. The downstream getTrustRank fallback in publish-security.ts (line 25: return version.hasProvenance ? TRUST_RANK.provenance : TRUST_RANK.none) would then incorrectly elevate a trustedPublisher version to provenance rank when trustLevel is absent.

Consider using the attestation-only check for hasProvenance and relying on trustLevel for the broader trust signal:

🐛 Proposed fix

     return {
       version,
       time: pkg.time[version],
-      hasProvenance: trustLevel !== 'none',
+      hasProvenance: hasAttestations(metadata),
       trustLevel,
       deprecated: metadata.deprecated,
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const securityVersions = Object.entries(pkg.versions).map(([version, metadata]) => {
	const trustLevel = getTrustLevel(metadata)
	return {
	version,
	time: pkg.time[version],
	hasProvenance: trustLevel !== 'none',
	trustLevel,
	deprecated: metadata.deprecated,
	}
	})
	const securityVersions = Object.entries(pkg.versions).map(([version, metadata]) => {
	const trustLevel = getTrustLevel(metadata)
	return {
	version,
	time: pkg.time[version],
	hasProvenance: hasAttestations(metadata),
	trustLevel,
	deprecated: metadata.deprecated,
	}
	})

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

app/pages/package/[...package].vue (1)

148-159: Fallback derivation looks sound, but the !! coercion on hasProvenance is redundant.

On SlimVersion, hasProvenance is already a boolean (set in usePackage.ts line 91/94). The double-negation !!metadata.hasProvenance on line 155 is harmless but unnecessary.

Otherwise, the fallback logic for older cached payloads that lack securityVersions is a nice defensive pattern.

Nitpick: remove redundant coercion

   return Object.entries(pkg.value.versions).map(([version, metadata]) => ({
     version,
     time: pkg.value?.time?.[version],
-    hasProvenance: !!metadata.hasProvenance,
+    hasProvenance: metadata.hasProvenance,
     trustLevel: metadata.trustLevel,
     deprecated: metadata.deprecated,
   }))

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Same hasProvenance conflation applies here in the filtered versions.

Lines 90–91 replicate the same trustLevel !== 'none' → hasProvenance pattern flagged above. This should use hasAttestations(version) for consistency and correctness.

Proposed fix

-      const trustLevel = getTrustLevel(version)
-      const hasProvenance = trustLevel !== 'none'
+      const trustLevel = getTrustLevel(version)
+      const hasProvenance = hasAttestations(version)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const trustLevel = getTrustLevel(version)
	const hasProvenance = trustLevel !== 'none'
	filteredVersions[v] = {
	...((version?.dist as { attestations?: unknown }) ? { hasProvenance: true } : {}),
	hasProvenance,
	trustLevel,
	const trustLevel = getTrustLevel(version)
	const hasProvenance = hasAttestations(version)
	filteredVersions[v] = {
	hasProvenance,
	trustLevel,

[danielroe]

updated wording

[danielroe]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.