From e01c4aacadfcbd963f00185ba696d104a03d2900 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Thu, 5 Feb 2026 23:30:30 +0100
Subject: [PATCH 1/6] feat: detect npm publish security downgrade

Closes #534
---
 app/components/Terminal/Install.vue           |   4 +-
 app/composables/useInstallCommand.ts          |   7 +-
 app/pages/package/[...package].vue            |  43 ++++++++
 app/utils/publish-security.ts                 | 104 ++++++++++++++++++
 i18n/locales/en.json                          |   5 +
 lunaria/files/en-GB.json                      |   5 +
 lunaria/files/en-US.json                      |   5 +
 .../composables/use-install-command.spec.ts   |  19 ++++
 test/unit/app/utils/publish-security.spec.ts  |  98 +++++++++++++++++
 9 files changed, 287 insertions(+), 3 deletions(-)
 create mode 100644 app/utils/publish-security.ts
 create mode 100644 test/unit/app/utils/publish-security.spec.ts

diff --git a/app/components/Terminal/Install.vue b/app/components/Terminal/Install.vue
index b03a5d6fa..6a8f2fd62 100644
--- a/app/components/Terminal/Install.vue
+++ b/app/components/Terminal/Install.vue
@@ -5,6 +5,7 @@ import type { PackageManagerId } from '~/utils/install-command'
 const props = defineProps<{
   packageName: string
   requestedVersion?: string | null
+  installVersionOverride?: string | null
   jsrInfo?: JsrPackageInfo | null
   typesPackageName?: string | null
   executableInfo?: { hasExecutable: boolean; primaryCommand?: string } | null
@@ -16,6 +17,7 @@ const { selectedPM, showTypesInInstall, copied, copyInstallCommand } = useInstal
   () => props.requestedVersion ?? null,
   () => props.jsrInfo ?? null,
   () => props.typesPackageName ?? null,
+  () => props.installVersionOverride ?? null,
 )
 
 // Generate install command parts for a specific package manager
@@ -23,7 +25,7 @@ function getInstallPartsForPM(pmId: PackageManagerId) {
   return getInstallCommandParts({
     packageName: props.packageName,
     packageManager: pmId,
-    version: props.requestedVersion,
+    version: props.installVersionOverride ?? props.requestedVersion,
     jsrInfo: props.jsrInfo,
   })
 }
diff --git a/app/composables/useInstallCommand.ts b/app/composables/useInstallCommand.ts
index 23094d457..827ac89f4 100644
--- a/app/composables/useInstallCommand.ts
+++ b/app/composables/useInstallCommand.ts
@@ -9,6 +9,7 @@ export function useInstallCommand(
   requestedVersion: MaybeRefOrGetter<string | null>,
   jsrInfo: MaybeRefOrGetter<JsrPackageInfo | null>,
   typesPackageName: MaybeRefOrGetter<string | null>,
+  installVersionOverride?: MaybeRefOrGetter<string | null>,
 ) {
   const selectedPM = useSelectedPackageManager()
   const { settings } = useSettings()
@@ -21,10 +22,11 @@ export function useInstallCommand(
   const installCommandParts = computed(() => {
     const name = toValue(packageName)
     if (!name) return []
+    const version = toValue(installVersionOverride) ?? toValue(requestedVersion)
     return getInstallCommandParts({
       packageName: name,
       packageManager: selectedPM.value,
-      version: toValue(requestedVersion),
+      version,
       jsrInfo: toValue(jsrInfo),
     })
   })
@@ -32,10 +34,11 @@ export function useInstallCommand(
   const installCommand = computed(() => {
     const name = toValue(packageName)
     if (!name) return ''
+    const version = toValue(installVersionOverride) ?? toValue(requestedVersion)
     return getInstallCommand({
       packageName: name,
       packageManager: selectedPM.value,
-      version: toValue(requestedVersion),
+      version,
       jsrInfo: toValue(jsrInfo),
     })
   })
diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
index ac08f83a1..3d63dbc56 100644
--- a/app/pages/package/[...package].vue
+++ b/app/pages/package/[...package].vue
@@ -13,6 +13,8 @@ import { areUrlsEquivalent } from '#shared/utils/url'
 import { isEditableElement } from '~/utils/input'
 import { formatBytes } from '~/utils/formatters'
 import { getDependencyCount } from '~/utils/npm/dependency-count'
+import { fetchAllPackageVersions } from '~/utils/npm/api'
+import { detectPublishSecurityDowngradeForVersion } from '~/utils/publish-security'
 import { NuxtLink } from '#components'
 import { useModal } from '~/composables/useModal'
 import { useAtproto } from '~/composables/atproto/useAtproto'
@@ -124,6 +126,15 @@ const {
   error: versionError,
 } = await useResolvedVersion(packageName, requestedVersion)
 
+const { data: allVersionMetadata } = useLazyAsyncData(
+  () => `package:version-meta:${packageName.value}`,
+  () => fetchAllPackageVersions(packageName.value),
+  {
+    default: () => [],
+    server: false,
+  },
+)
+
 if (
   versionStatus.value === 'error' &&
   versionError.value?.statusCode &&
@@ -225,6 +236,17 @@ const deprecationNoticeMessage = useMarkdown(() => ({
   text: deprecationNotice.value?.message ?? '',
 }))
 
+const publishSecurityDowngrade = computed(() => {
+  const currentVersion = displayVersion.value?.version
+  if (!currentVersion) return null
+  return detectPublishSecurityDowngradeForVersion(allVersionMetadata.value ?? [], currentVersion)
+})
+
+const installVersionOverride = computed(() => {
+  if (!publishSecurityDowngrade.value) return null
+  return publishSecurityDowngrade.value?.trustedVersion ?? null
+})
+
 const sizeTooltip = computed(() => {
   const chunks = [
     displayVersion.value &&
@@ -1088,9 +1110,30 @@ onKeyStroke(
           :id="`pm-panel-${activePmId}`"
           :aria-labelledby="`pm-tab-${activePmId}`"
         >
+          <div
+            v-if="publishSecurityDowngrade"
+            role="alert"
+            class="mb-4 rounded-lg border border-red-600/40 bg-red-500/10 px-4 py-3 text-red-800 dark:text-red-300"
+          >
+            <h3 class="m-0 flex items-center gap-2 font-mono text-sm font-semibold tracking-wide">
+              <span class="i-carbon-warning-filled w-4 h-4 shrink-0" aria-hidden="true" />
+              {{ $t('package.security_downgrade.title') }}
+            </h3>
+            <p class="mt-2 mb-0 text-sm">
+              {{ $t('package.security_downgrade.description') }}
+            </p>
+            <p class="mt-2 mb-0 text-sm">
+              {{
+                $t('package.security_downgrade.fallback_install', {
+                  version: publishSecurityDowngrade.trustedVersion,
+                })
+              }}
+            </p>
+          </div>
           <TerminalInstall
             :package-name="pkg.name"
             :requested-version="requestedVersion"
+            :install-version-override="installVersionOverride"
             :jsr-info="jsrInfo"
             :types-package-name="typesPackageName"
             :executable-info="executableInfo"
diff --git a/app/utils/publish-security.ts b/app/utils/publish-security.ts
new file mode 100644
index 000000000..651635a3d
--- /dev/null
+++ b/app/utils/publish-security.ts
@@ -0,0 +1,104 @@
+import type { PackageVersionInfo } from '#shared/types'
+import { compare } from 'semver'
+
+export interface PublishSecurityDowngrade {
+  downgradedVersion: string
+  downgradedPublishedAt?: string
+  trustedVersion: string
+  trustedPublishedAt?: string
+}
+
+type VersionWithIndex = PackageVersionInfo & {
+  index: number
+  timestamp: number
+}
+
+function toTimestamp(time?: string): number {
+  if (!time) return Number.NaN
+  return Date.parse(time)
+}
+
+function sortByRecency(a: VersionWithIndex, b: VersionWithIndex): number {
+  const aValid = Number.isFinite(a.timestamp)
+  const bValid = Number.isFinite(b.timestamp)
+
+  if (aValid && bValid && a.timestamp !== b.timestamp) {
+    return b.timestamp - a.timestamp
+  }
+
+  if (aValid !== bValid) {
+    return aValid ? -1 : 1
+  }
+
+  const semverOrder = compare(b.version, a.version)
+  if (semverOrder !== 0) return semverOrder
+
+  return a.index - b.index
+}
+
+/**
+ * Detects a security downgrade where the newest publish is not trusted,
+ * but an older publish was trusted (e.g. OIDC/provenance -> manual publish).
+ */
+export function detectPublishSecurityDowngrade(
+  versions: PackageVersionInfo[],
+): PublishSecurityDowngrade | null {
+  if (versions.length < 2) return null
+
+  const sorted = versions
+    .map((version, index) => ({
+      ...version,
+      index,
+      timestamp: toTimestamp(version.time),
+    }))
+    .sort(sortByRecency)
+
+  const latest = sorted[0]
+  if (!latest || latest.hasProvenance) return null
+
+  const latestTrusted = sorted.find(version => version.hasProvenance)
+  if (!latestTrusted) return null
+
+  return {
+    downgradedVersion: latest.version,
+    downgradedPublishedAt: latest.time,
+    trustedVersion: latestTrusted.version,
+    trustedPublishedAt: latestTrusted.time,
+  }
+}
+
+/**
+ * Detects a security downgrade for a specific viewed version.
+ * A version is considered downgraded when it has no provenance and
+ * there exists an older trusted release.
+ */
+export function detectPublishSecurityDowngradeForVersion(
+  versions: PackageVersionInfo[],
+  viewedVersion: string,
+): PublishSecurityDowngrade | null {
+  if (versions.length < 2 || !viewedVersion) return null
+
+  const sorted = versions
+    .map((version, index) => ({
+      ...version,
+      index,
+      timestamp: toTimestamp(version.time),
+    }))
+    .sort(sortByRecency)
+
+  const currentIndex = sorted.findIndex(version => version.version === viewedVersion)
+  if (currentIndex === -1) return null
+
+  const current = sorted[currentIndex]
+  if (!current || current.hasProvenance) return null
+
+  const trustedOlder = sorted.slice(currentIndex + 1).find(version => version.hasProvenance)
+  if (!trustedOlder) return null
+
+  return {
+    downgradedVersion: current.version,
+    downgradedPublishedAt: current.time,
+    trustedVersion: trustedOlder.version,
+    trustedPublishedAt: trustedOlder.time,
+  }
+}
diff --git a/i18n/locales/en.json b/i18n/locales/en.json
index 9d0f33ac8..a22696229 100644
--- a/i18n/locales/en.json
+++ b/i18n/locales/en.json
@@ -234,6 +234,11 @@
       "view_more_details": "View more details",
       "error_loading": "Failed to load provenance details"
     },
+    "security_downgrade": {
+      "title": "Security downgrade detected",
+      "description": "This package has been released using a stronger, more secure publishing method before. The version you are viewing was published using a weaker or less trusted method. Treat this as a potential supply-chain compromise until verified.",
+      "fallback_install": "Install commands below are pinned to trusted version {version} by default."
+    },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",
     "card": {
diff --git a/lunaria/files/en-GB.json b/lunaria/files/en-GB.json
index 34f763a9c..3eb543a33 100644
--- a/lunaria/files/en-GB.json
+++ b/lunaria/files/en-GB.json
@@ -234,6 +234,11 @@
       "view_more_details": "View more details",
       "error_loading": "Failed to load provenance details"
     },
+    "security_downgrade": {
+      "title": "Security downgrade detected",
+      "description": "This package has been released using a stronger, more secure publishing method before. The version you are viewing was published using a weaker or less trusted method. Treat this as a potential supply-chain compromise until verified.",
+      "fallback_install": "Install commands below are pinned to trusted version {version} by default."
+    },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",
     "card": {
diff --git a/lunaria/files/en-US.json b/lunaria/files/en-US.json
index 9d0f33ac8..a22696229 100644
--- a/lunaria/files/en-US.json
+++ b/lunaria/files/en-US.json
@@ -234,6 +234,11 @@
       "view_more_details": "View more details",
       "error_loading": "Failed to load provenance details"
     },
+    "security_downgrade": {
+      "title": "Security downgrade detected",
+      "description": "This package has been released using a stronger, more secure publishing method before. The version you are viewing was published using a weaker or less trusted method. Treat this as a potential supply-chain compromise until verified.",
+      "fallback_install": "Install commands below are pinned to trusted version {version} by default."
+    },
     "keywords_title": "Keywords",
     "compatibility": "Compatibility",
     "card": {
diff --git a/test/nuxt/composables/use-install-command.spec.ts b/test/nuxt/composables/use-install-command.spec.ts
index f9307d9b3..579942794 100644
--- a/test/nuxt/composables/use-install-command.spec.ts
+++ b/test/nuxt/composables/use-install-command.spec.ts
@@ -260,6 +260,25 @@ describe('useInstallCommand', () => {
       version.value = '18.2.0'
       expect(installCommand.value).toBe('npm install react@18.2.0')
     })
+
+    it('should prefer installVersionOverride when provided', () => {
+      const requestedVersion = shallowRef<string | null>(null)
+      const installVersionOverride = shallowRef<string | null>('1.0.0')
+
+      const { installCommand } = useInstallCommand(
+        'foo',
+        requestedVersion,
+        null,
+        null,
+        installVersionOverride,
+      )
+
+      expect(installCommand.value).toBe('npm install foo@1.0.0')
+
+      installVersionOverride.value = null
+      requestedVersion.value = '2.0.0'
+      expect(installCommand.value).toBe('npm install foo@2.0.0')
+    })
   })
 
   describe('copyInstallCommand', () => {
diff --git a/test/unit/app/utils/publish-security.spec.ts b/test/unit/app/utils/publish-security.spec.ts
new file mode 100644
index 000000000..f44e25521
--- /dev/null
+++ b/test/unit/app/utils/publish-security.spec.ts
@@ -0,0 +1,98 @@
+import { describe, expect, it } from 'vitest'
+import {
+  detectPublishSecurityDowngrade,
+  detectPublishSecurityDowngradeForVersion,
+} from '../../../../app/utils/publish-security'
+
+describe('detectPublishSecurityDowngrade', () => {
+  it('detects downgrade when latest publish is untrusted and older publish is trusted', () => {
+    const result = detectPublishSecurityDowngrade([
+      {
+        version: '1.0.0',
+        time: '2026-01-01T00:00:00.000Z',
+        hasProvenance: true,
+      },
+      {
+        version: '1.0.1',
+        time: '2026-01-02T00:00:00.000Z',
+        hasProvenance: false,
+      },
+    ])
+
+    expect(result).toEqual({
+      downgradedVersion: '1.0.1',
+      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      trustedVersion: '1.0.0',
+      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+    })
+  })
+
+  it('returns null when latest publish is trusted', () => {
+    const result = detectPublishSecurityDowngrade([
+      {
+        version: '1.0.0',
+        time: '2026-01-01T00:00:00.000Z',
+        hasProvenance: false,
+      },
+      {
+        version: '1.0.1',
+        time: '2026-01-02T00:00:00.000Z',
+        hasProvenance: true,
+      },
+    ])
+
+    expect(result).toBeNull()
+  })
+
+  it('returns null when there is no trusted historical release', () => {
+    const result = detectPublishSecurityDowngrade([
+      {
+        version: '1.0.0',
+        time: '2026-01-01T00:00:00.000Z',
+        hasProvenance: false,
+      },
+      {
+        version: '1.0.1',
+        time: '2026-01-02T00:00:00.000Z',
+        hasProvenance: false,
+      },
+    ])
+
+    expect(result).toBeNull()
+  })
+})
+
+describe('detectPublishSecurityDowngradeForVersion', () => {
+  const versions = [
+    {
+      version: '1.0.0',
+      time: '2026-01-01T00:00:00.000Z',
+      hasProvenance: true,
+    },
+    {
+      version: '1.0.1',
+      time: '2026-01-02T00:00:00.000Z',
+      hasProvenance: false,
+    },
+    {
+      version: '1.0.2',
+      time: '2026-01-03T00:00:00.000Z',
+      hasProvenance: true,
+    },
+  ]
+
+  it('does not flag trusted viewed version (1.0.2)', () => {
+    const result = detectPublishSecurityDowngradeForVersion(versions, '1.0.2')
+    expect(result).toBeNull()
+  })
+
+  it('flags downgraded viewed version (1.0.1)', () => {
+    const result = detectPublishSecurityDowngradeForVersion(versions, '1.0.1')
+    expect(result).toEqual({
+      downgradedVersion: '1.0.1',
+      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      trustedVersion: '1.0.0',
+      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+    })
+  })
+})

From 9e30e9f97dc1747b23504e98c9d66f66124945a6 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Thu, 5 Feb 2026 23:50:18 +0100
Subject: [PATCH 2/6] Apply CR suggestions

---
 app/pages/package/[...package].vue | 2 +-
 app/utils/publish-security.ts      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
index 3d63dbc56..840c5a781 100644
--- a/app/pages/package/[...package].vue
+++ b/app/pages/package/[...package].vue
@@ -244,7 +244,7 @@ const publishSecurityDowngrade = computed(() => {
 
 const installVersionOverride = computed(() => {
   if (!publishSecurityDowngrade.value) return null
-  return publishSecurityDowngrade.value?.trustedVersion ?? null
+  return publishSecurityDowngrade.value.trustedVersion
 })
 
 const sizeTooltip = computed(() => {
diff --git a/app/utils/publish-security.ts b/app/utils/publish-security.ts
index 651635a3d..471e29388 100644
--- a/app/utils/publish-security.ts
+++ b/app/utils/publish-security.ts
@@ -53,7 +53,7 @@ export function detectPublishSecurityDowngrade(
     }))
     .sort(sortByRecency)
 
-  const latest = sorted[0]
+  const latest = sorted.at(0)
   if (!latest || latest.hasProvenance) return null
 
   const latestTrusted = sorted.find(version => version.hasProvenance)
@@ -89,7 +89,7 @@ export function detectPublishSecurityDowngradeForVersion(
   const currentIndex = sorted.findIndex(version => version.version === viewedVersion)
   if (currentIndex === -1) return null
 
-  const current = sorted[currentIndex]
+  const current = sorted.at(currentIndex)
   if (!current || current.hasProvenance) return null
 
   const trustedOlder = sorted.slice(currentIndex + 1).find(version => version.hasProvenance)

From aa4bf0773361435c4bd411b74875a267d839e1a7 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Fri, 6 Feb 2026 00:03:46 +0100
Subject: [PATCH 3/6] Fix browser tests?

---
 app/composables/npm/usePackage.ts  |  9 +++++++--
 app/pages/package/[...package].vue | 23 ++++++++++++-----------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/app/composables/npm/usePackage.ts b/app/composables/npm/usePackage.ts
index e0d900f50..7f76a8eab 100644
--- a/app/composables/npm/usePackage.ts
+++ b/app/composables/npm/usePackage.ts
@@ -12,7 +12,10 @@ const RECENT_VERSIONS_COUNT = 5
  * - Including only: 5 most recent versions + one version per dist-tag + requested version
  * - Stripping unnecessary fields from version objects
  */
-function transformPackument(pkg: Packument, requestedVersion?: string | null): SlimPackument {
+export function transformPackument(
+  pkg: Packument,
+  requestedVersion?: string | null,
+): SlimPackument {
   // Get versions pointed to by dist-tags
   const distTagVersions = new Set(Object.values(pkg['dist-tags'] ?? {}))
 
@@ -53,7 +56,9 @@ function transformPackument(pkg: Packument, requestedVersion?: string | null): S
         }
       }
       filteredVersions[v] = {
-        ...((version?.dist as { attestations?: unknown }) ? { hasProvenance: true } : {}),
+        ...((version?.dist as { attestations?: unknown } | undefined)?.attestations
+          ? { hasProvenance: true }
+          : {}),
         version: version.version,
         deprecated: version.deprecated,
         tags: version.tags as string[],
diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
index 840c5a781..927ef661c 100644
--- a/app/pages/package/[...package].vue
+++ b/app/pages/package/[...package].vue
@@ -1,6 +1,7 @@
 <script setup lang="ts">
 import type {
   NpmVersionDist,
+  PackageVersionInfo,
   PackumentVersion,
   ProvenanceDetails,
   ReadmeResponse,
@@ -13,7 +14,6 @@ import { areUrlsEquivalent } from '#shared/utils/url'
 import { isEditableElement } from '~/utils/input'
 import { formatBytes } from '~/utils/formatters'
 import { getDependencyCount } from '~/utils/npm/dependency-count'
-import { fetchAllPackageVersions } from '~/utils/npm/api'
 import { detectPublishSecurityDowngradeForVersion } from '~/utils/publish-security'
 import { NuxtLink } from '#components'
 import { useModal } from '~/composables/useModal'
@@ -126,15 +126,6 @@ const {
   error: versionError,
 } = await useResolvedVersion(packageName, requestedVersion)
 
-const { data: allVersionMetadata } = useLazyAsyncData(
-  () => `package:version-meta:${packageName.value}`,
-  () => fetchAllPackageVersions(packageName.value),
-  {
-    default: () => [],
-    server: false,
-  },
-)
-
 if (
   versionStatus.value === 'error' &&
   versionError.value?.statusCode &&
@@ -154,6 +145,16 @@ const {
   error,
 } = usePackage(packageName, resolvedVersion.value ?? requestedVersion.value)
 const displayVersion = computed(() => pkg.value?.requestedVersion ?? null)
+const versionSecurityMetadata = computed<PackageVersionInfo[]>(() => {
+  if (!pkg.value) return []
+
+  return Object.entries(pkg.value.versions).map(([version, metadata]) => ({
+    version,
+    time: pkg.value?.time?.[version],
+    hasProvenance: !!metadata.hasProvenance,
+    deprecated: metadata.deprecated,
+  }))
+})
 
 // Process package description
 const pkgDescription = useMarkdown(() => ({
@@ -239,7 +240,7 @@ const deprecationNoticeMessage = useMarkdown(() => ({
 const publishSecurityDowngrade = computed(() => {
   const currentVersion = displayVersion.value?.version
   if (!currentVersion) return null
-  return detectPublishSecurityDowngradeForVersion(allVersionMetadata.value ?? [], currentVersion)
+  return detectPublishSecurityDowngradeForVersion(versionSecurityMetadata.value, currentVersion)
 })
 
 const installVersionOverride = computed(() => {

From 30b86530e824069bc87a30054fa6ff822881d712 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Fri, 6 Feb 2026 00:29:56 +0100
Subject: [PATCH 4/6] Add unit tests

---
 .../composables/use-package-transform.spec.ts | 101 ++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 test/nuxt/composables/use-package-transform.spec.ts

diff --git a/test/nuxt/composables/use-package-transform.spec.ts b/test/nuxt/composables/use-package-transform.spec.ts
new file mode 100644
index 000000000..f4a595e06
--- /dev/null
+++ b/test/nuxt/composables/use-package-transform.spec.ts
@@ -0,0 +1,101 @@
+import { describe, expect, it } from 'vitest'
+import type { Packument, PackageVersionInfo } from '#shared/types'
+import { transformPackument } from '~/composables/npm/usePackage'
+import { detectPublishSecurityDowngradeForVersion } from '~/utils/publish-security'
+
+function createVersion(version: string, hasAttestations = false) {
+  return {
+    name: 'foo',
+    version,
+    dist: {
+      shasum: version,
+      tarball: `https://registry.npmjs.org/foo/-/foo-${version}.tgz`,
+      ...(hasAttestations
+        ? {
+            attestations: {
+              url: `https://example.test/${version}`,
+              provenance: { predicateType: 'https://slsa.dev/provenance/v1' },
+            },
+          }
+        : {}),
+    },
+  }
+}
+
+function toVersionInfos(packument: ReturnType<typeof transformPackument>): PackageVersionInfo[] {
+  return Object.entries(packument.versions).map(([version, metadata]) => ({
+    version,
+    time: packument.time[version],
+    hasProvenance: !!metadata.hasProvenance,
+    deprecated: metadata.deprecated,
+  }))
+}
+
+describe('transformPackument', () => {
+  it('includes requested old version and preserves provenance on it', () => {
+    const packument = {
+      '_id': 'foo',
+      'name': 'foo',
+      'dist-tags': { latest: '1.0.7' },
+      'time': {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-08T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+        '1.0.2': '2026-01-03T00:00:00.000Z',
+        '1.0.3': '2026-01-04T00:00:00.000Z',
+        '1.0.4': '2026-01-05T00:00:00.000Z',
+        '1.0.5': '2026-01-06T00:00:00.000Z',
+        '1.0.6': '2026-01-07T00:00:00.000Z',
+        '1.0.7': '2026-01-08T00:00:00.000Z',
+      },
+      'versions': {
+        '1.0.0': createVersion('1.0.0', true),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2'),
+        '1.0.3': createVersion('1.0.3'),
+        '1.0.4': createVersion('1.0.4'),
+        '1.0.5': createVersion('1.0.5'),
+        '1.0.6': createVersion('1.0.6'),
+        '1.0.7': createVersion('1.0.7'),
+      },
+    } as unknown as Packument
+
+    const transformed = transformPackument(packument, '1.0.0')
+
+    expect(transformed.versions['1.0.0']?.hasProvenance).toBe(true)
+    expect(transformed.versions['1.0.1']).toBeUndefined()
+    expect(transformed.versions['1.0.2']).toBeUndefined()
+  })
+
+  it('works with downgrade detection for viewed version', () => {
+    const packument = {
+      '_id': 'foo',
+      'name': 'foo',
+      'dist-tags': { latest: '1.0.2' },
+      'time': {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-03T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+        '1.0.2': '2026-01-03T00:00:00.000Z',
+      },
+      'versions': {
+        '1.0.0': createVersion('1.0.0', true),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2', true),
+      },
+    } as unknown as Packument
+
+    const transformed = transformPackument(packument, '1.0.1')
+    const infos = toVersionInfos(transformed)
+
+    expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.2')).toBeNull()
+    expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')).toEqual({
+      downgradedVersion: '1.0.1',
+      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      trustedVersion: '1.0.0',
+      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+    })
+  })
+})

From 495d79df7e085d7f355dc94a2d12ae3850c65698 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Fri, 6 Feb 2026 09:38:26 +0100
Subject: [PATCH 5/6] Support for trusted publisher

---
 app/composables/npm/usePackage.ts             |  38 +++-
 app/pages/package/[...package].vue            |   2 +
 app/utils/publish-security.ts                 |  48 +++--
 shared/types/npm-registry.ts                  |  28 ++-
 .../composables/use-package-transform.spec.ts | 187 ++++++++++++++----
 test/unit/app/utils/publish-security.spec.ts  |  73 +++++++
 6 files changed, 323 insertions(+), 53 deletions(-)

diff --git a/app/composables/npm/usePackage.ts b/app/composables/npm/usePackage.ts
index 7f76a8eab..f1abf749b 100644
--- a/app/composables/npm/usePackage.ts
+++ b/app/composables/npm/usePackage.ts
@@ -5,6 +5,24 @@ import { extractInstallScriptsInfo } from '~/utils/install-scripts'
 /** Number of recent versions to include in initial payload */
 const RECENT_VERSIONS_COUNT = 5
 
+function hasAttestations(version: Packument['versions'][string]): boolean {
+  return Boolean(version.dist.attestations)
+}
+
+function hasTrustedPublisher(version: Packument['versions'][string]): boolean {
+  return Boolean(version._npmUser?.trustedPublisher)
+}
+
+function hasPublishTrustEvidence(version: Packument['versions'][string]): boolean {
+  return hasAttestations(version) || hasTrustedPublisher(version)
+}
+
+function getTrustLevel(version: Packument['versions'][string]): SlimVersion['trustLevel'] {
+  if (hasAttestations(version)) return 'provenance'
+  if (hasTrustedPublisher(version)) return 'trustedPublisher'
+  return 'none'
+}
+
 /**
  * Transform a full Packument into a slimmed version for client-side use.
  * Reduces payload size by:
@@ -38,6 +56,17 @@ export function transformPackument(
     includedVersions.add(requestedVersion)
   }
 
+  const securityVersions = Object.entries(pkg.versions).map(([version, metadata]) => {
+    const trustLevel = getTrustLevel(metadata)
+    return {
+      version,
+      time: pkg.time[version],
+      hasProvenance: trustLevel !== 'none',
+      trustLevel,
+      deprecated: metadata.deprecated,
+    }
+  })
+
   // Build filtered versions object with install scripts info per version
   const filteredVersions: Record<string, SlimVersion> = {}
   let versionData: SlimPackumentVersion | null = null
@@ -55,10 +84,12 @@ export function transformPackument(
           installScripts: installScripts ?? undefined,
         }
       }
+      const hasProvenance = hasPublishTrustEvidence(version)
+      const trustLevel = getTrustLevel(version)
+
       filteredVersions[v] = {
-        ...((version?.dist as { attestations?: unknown } | undefined)?.attestations
-          ? { hasProvenance: true }
-          : {}),
+        hasProvenance,
+        trustLevel,
         version: version.version,
         deprecated: version.deprecated,
         tags: version.tags as string[],
@@ -96,6 +127,7 @@ export function transformPackument(
     'bugs': pkg.bugs,
     'requestedVersion': versionData,
     'versions': filteredVersions,
+    'securityVersions': securityVersions,
   }
 }
 
diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
index 927ef661c..5373e8308 100644
--- a/app/pages/package/[...package].vue
+++ b/app/pages/package/[...package].vue
@@ -147,11 +147,13 @@ const {
 const displayVersion = computed(() => pkg.value?.requestedVersion ?? null)
 const versionSecurityMetadata = computed<PackageVersionInfo[]>(() => {
   if (!pkg.value) return []
+  if (pkg.value.securityVersions?.length) return pkg.value.securityVersions
 
   return Object.entries(pkg.value.versions).map(([version, metadata]) => ({
     version,
     time: pkg.value?.time?.[version],
     hasProvenance: !!metadata.hasProvenance,
+    trustLevel: metadata.trustLevel,
     deprecated: metadata.deprecated,
   }))
 })
diff --git a/app/utils/publish-security.ts b/app/utils/publish-security.ts
index 471e29388..8cf92aac4 100644
--- a/app/utils/publish-security.ts
+++ b/app/utils/publish-security.ts
@@ -1,4 +1,4 @@
-import type { PackageVersionInfo } from '#shared/types'
+import type { PackageVersionInfo, PublishTrustLevel } from '#shared/types'
 import { compare } from 'semver'
 
 export interface PublishSecurityDowngrade {
@@ -11,6 +11,18 @@ export interface PublishSecurityDowngrade {
 type VersionWithIndex = PackageVersionInfo & {
   index: number
   timestamp: number
+  trustRank: number
+}
+
+const TRUST_RANK: Record<PublishTrustLevel, number> = {
+  none: 0,
+  trustedPublisher: 1,
+  provenance: 2,
+}
+
+function getTrustRank(version: PackageVersionInfo): number {
+  if (version.trustLevel) return TRUST_RANK[version.trustLevel]
+  return version.hasProvenance ? TRUST_RANK.provenance : TRUST_RANK.none
 }
 
 function toTimestamp(time?: string): number {
@@ -50,20 +62,27 @@ export function detectPublishSecurityDowngrade(
       ...version,
       index,
       timestamp: toTimestamp(version.time),
+      trustRank: getTrustRank(version),
     }))
     .sort(sortByRecency)
 
   const latest = sorted.at(0)
-  if (!latest || latest.hasProvenance) return null
+  if (!latest) return null
 
-  const latestTrusted = sorted.find(version => version.hasProvenance)
-  if (!latestTrusted) return null
+  let strongestOlder: VersionWithIndex | null = null
+  for (const version of sorted.slice(1)) {
+    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
+      strongestOlder = version
+    }
+  }
+
+  if (!strongestOlder || strongestOlder.trustRank <= latest.trustRank) return null
 
   return {
     downgradedVersion: latest.version,
     downgradedPublishedAt: latest.time,
-    trustedVersion: latestTrusted.version,
-    trustedPublishedAt: latestTrusted.time,
+    trustedVersion: strongestOlder.version,
+    trustedPublishedAt: strongestOlder.time,
   }
 }
 
@@ -83,6 +102,7 @@ export function detectPublishSecurityDowngradeForVersion(
       ...version,
       index,
       timestamp: toTimestamp(version.time),
+      trustRank: getTrustRank(version),
     }))
     .sort(sortByRecency)
 
@@ -90,15 +110,21 @@ export function detectPublishSecurityDowngradeForVersion(
   if (currentIndex === -1) return null
 
   const current = sorted.at(currentIndex)
-  if (!current || current.hasProvenance) return null
+  if (!current) return null
+
+  let strongestOlder: VersionWithIndex | null = null
+  for (const version of sorted.slice(currentIndex + 1)) {
+    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
+      strongestOlder = version
+    }
+  }
 
-  const trustedOlder = sorted.slice(currentIndex + 1).find(version => version.hasProvenance)
-  if (!trustedOlder) return null
+  if (!strongestOlder || strongestOlder.trustRank <= current.trustRank) return null
 
   return {
     downgradedVersion: current.version,
     downgradedPublishedAt: current.time,
-    trustedVersion: trustedOlder.version,
-    trustedPublishedAt: trustedOlder.time,
+    trustedVersion: strongestOlder.version,
+    trustedPublishedAt: strongestOlder.time,
   }
 }
diff --git a/shared/types/npm-registry.ts b/shared/types/npm-registry.ts
index f0652d8f6..4896a5c30 100644
--- a/shared/types/npm-registry.ts
+++ b/shared/types/npm-registry.ts
@@ -6,16 +6,28 @@
  * @see https://github.com/npm/registry/blob/main/docs/REGISTRY-API.md
  */
 
-import type { Packument as PackumentWithoutLicenseObjects, PackumentVersion } from '@npm/types'
+import type {
+  Packument as PackumentWithoutLicenseObjects,
+  PackumentVersion as PackumentVersionWithoutAttestations,
+  Contact,
+} from '@npm/types'
 import type { ReadmeResponse } from './readme'
 
 // Re-export official npm types for packument/manifest
-export type { PackumentVersion, Manifest, ManifestVersion, PackageJSON } from '@npm/types'
+export type { Manifest, ManifestVersion, PackageJSON } from '@npm/types'
 
-// TODO: Remove this type override when @npm/types fixes the license field typing
-export type Packument = Omit<PackumentWithoutLicenseObjects, 'license'> & {
+type NpmTrustedPublisherEvidence = NpmSearchTrustedPublisher | NpmTrustedPublisher | true
+
+export interface PackumentVersion extends PackumentVersionWithoutAttestations {
+  _npmUser?: Contact & { trustedPublisher?: NpmTrustedPublisherEvidence }
+  dist: PackumentVersionWithoutAttestations['dist'] & { attestations?: NpmVersionAttestations }
+}
+
+export type Packument = Omit<PackumentWithoutLicenseObjects, 'license' | 'versions'> & {
   // Fix for license field being incorrectly typed in @npm/types
+  // TODO: Remove this type override when @npm/types fixes the license field typing
   license?: string | { type: string; url?: string }
+  versions: Record<string, PackumentVersion>
 }
 
 /** Install scripts info (preinstall, install, postinstall) */
@@ -30,8 +42,11 @@ export type SlimPackumentVersion = PackumentVersion & {
   installScripts?: InstallScriptsInfo
 }
 
+export type PublishTrustLevel = 'none' | 'trustedPublisher' | 'provenance'
+
 export type SlimVersion = Pick<SlimPackumentVersion, 'version' | 'deprecated' | 'tags'> & {
-  hasProvenance?: true
+  hasProvenance?: boolean
+  trustLevel?: PublishTrustLevel
 }
 
 /**
@@ -72,6 +87,8 @@ export interface SlimPackument {
   'requestedVersion': SlimPackumentVersion | null
   /** Only includes dist-tag versions (with installScripts info added per version) */
   'versions': Record<string, SlimVersion>
+  /** Lightweight security metadata for all versions */
+  'securityVersions'?: PackageVersionInfo[]
 }
 
 /**
@@ -81,6 +98,7 @@ export interface PackageVersionInfo {
   version: string
   time?: string
   hasProvenance: boolean
+  trustLevel?: PublishTrustLevel
   deprecated?: string
 }
 
diff --git a/test/nuxt/composables/use-package-transform.spec.ts b/test/nuxt/composables/use-package-transform.spec.ts
index f4a595e06..12097d58c 100644
--- a/test/nuxt/composables/use-package-transform.spec.ts
+++ b/test/nuxt/composables/use-package-transform.spec.ts
@@ -3,13 +3,16 @@ import type { Packument, PackageVersionInfo } from '#shared/types'
 import { transformPackument } from '~/composables/npm/usePackage'
 import { detectPublishSecurityDowngradeForVersion } from '~/utils/publish-security'
 
-function createVersion(version: string, hasAttestations = false) {
+function createVersion(version: string, hasAttestations = false): Packument['versions'][string] {
   return {
+    _id: `foo@${version}`,
+    _npmVersion: '10.0.0',
     name: 'foo',
     version,
     dist: {
       shasum: version,
       tarball: `https://registry.npmjs.org/foo/-/foo-${version}.tgz`,
+      signatures: [],
       ...(hasAttestations
         ? {
             attestations: {
@@ -22,22 +25,74 @@ function createVersion(version: string, hasAttestations = false) {
   }
 }
 
+function createTrustedPublisherVersion(version: string) {
+  return {
+    ...createVersion(version, false),
+    _npmUser: {
+      name: 'github-actions',
+      email: 'noreply@github.com',
+      trustedPublisher: {
+        id: 'github',
+      },
+    },
+  }
+}
+
+function createTrustedPublisherWithAttestationsVersion(version: string) {
+  return {
+    ...createVersion(version, true),
+    _npmUser: {
+      name: 'github-actions',
+      email: 'noreply@github.com',
+      trustedPublisher: {
+        id: 'github',
+      },
+    },
+  }
+}
+
+function createPackument(
+  versions: Packument['versions'],
+  time: Packument['time'],
+  latest: string,
+): Packument {
+  return {
+    '_id': 'foo',
+    '_rev': '1',
+    'name': 'foo',
+    'dist-tags': { latest },
+    time,
+    versions,
+  }
+}
+
 function toVersionInfos(packument: ReturnType<typeof transformPackument>): PackageVersionInfo[] {
-  return Object.entries(packument.versions).map(([version, metadata]) => ({
-    version,
-    time: packument.time[version],
-    hasProvenance: !!metadata.hasProvenance,
-    deprecated: metadata.deprecated,
-  }))
+  return (
+    packument.securityVersions ??
+    Object.entries(packument.versions).map(([version, metadata]) => ({
+      version,
+      time: packument.time[version],
+      hasProvenance: !!metadata.hasProvenance,
+      trustLevel: metadata.trustLevel,
+      deprecated: metadata.deprecated,
+    }))
+  )
 }
 
 describe('transformPackument', () => {
   it('includes requested old version and preserves provenance on it', () => {
-    const packument = {
-      '_id': 'foo',
-      'name': 'foo',
-      'dist-tags': { latest: '1.0.7' },
-      'time': {
+    const packument = createPackument(
+      {
+        '1.0.0': createVersion('1.0.0', true),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2'),
+        '1.0.3': createVersion('1.0.3'),
+        '1.0.4': createVersion('1.0.4'),
+        '1.0.5': createVersion('1.0.5'),
+        '1.0.6': createVersion('1.0.6'),
+        '1.0.7': createVersion('1.0.7'),
+      },
+      {
         'created': '2026-01-01T00:00:00.000Z',
         'modified': '2026-01-08T00:00:00.000Z',
         '1.0.0': '2026-01-01T00:00:00.000Z',
@@ -49,43 +104,33 @@ describe('transformPackument', () => {
         '1.0.6': '2026-01-07T00:00:00.000Z',
         '1.0.7': '2026-01-08T00:00:00.000Z',
       },
-      'versions': {
-        '1.0.0': createVersion('1.0.0', true),
-        '1.0.1': createVersion('1.0.1'),
-        '1.0.2': createVersion('1.0.2'),
-        '1.0.3': createVersion('1.0.3'),
-        '1.0.4': createVersion('1.0.4'),
-        '1.0.5': createVersion('1.0.5'),
-        '1.0.6': createVersion('1.0.6'),
-        '1.0.7': createVersion('1.0.7'),
-      },
-    } as unknown as Packument
+      '1.0.7',
+    )
 
     const transformed = transformPackument(packument, '1.0.0')
 
     expect(transformed.versions['1.0.0']?.hasProvenance).toBe(true)
     expect(transformed.versions['1.0.1']).toBeUndefined()
     expect(transformed.versions['1.0.2']).toBeUndefined()
+    expect(transformed.securityVersions).toHaveLength(8)
   })
 
   it('works with downgrade detection for viewed version', () => {
-    const packument = {
-      '_id': 'foo',
-      'name': 'foo',
-      'dist-tags': { latest: '1.0.2' },
-      'time': {
+    const packument = createPackument(
+      {
+        '1.0.0': createVersion('1.0.0', true),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2', true),
+      },
+      {
         'created': '2026-01-01T00:00:00.000Z',
         'modified': '2026-01-03T00:00:00.000Z',
         '1.0.0': '2026-01-01T00:00:00.000Z',
         '1.0.1': '2026-01-02T00:00:00.000Z',
         '1.0.2': '2026-01-03T00:00:00.000Z',
       },
-      'versions': {
-        '1.0.0': createVersion('1.0.0', true),
-        '1.0.1': createVersion('1.0.1'),
-        '1.0.2': createVersion('1.0.2', true),
-      },
-    } as unknown as Packument
+      '1.0.2',
+    )
 
     const transformed = transformPackument(packument, '1.0.1')
     const infos = toVersionInfos(transformed)
@@ -98,4 +143,78 @@ describe('transformPackument', () => {
       trustedPublishedAt: '2026-01-01T00:00:00.000Z',
     })
   })
+
+  it('treats trustedPublisher as trust evidence for downgrade checks', () => {
+    const packument = createPackument(
+      {
+        '1.0.0': createTrustedPublisherVersion('1.0.0'),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-03T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+        '1.0.2': '2026-01-03T00:00:00.000Z',
+      },
+      '1.0.2',
+    )
+
+    const transformed = transformPackument(packument, '1.0.1')
+    const infos = toVersionInfos(transformed)
+
+    expect(infos.find(v => v.version === '1.0.0')?.hasProvenance).toBe(true)
+    expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')?.trustedVersion).toBe('1.0.0')
+  })
+
+  it('prefers provenance trust level when both trustedPublisher and attestations exist', () => {
+    const packument = createPackument(
+      {
+        '1.0.0': createTrustedPublisherWithAttestationsVersion('1.0.0'),
+        '1.0.1': createTrustedPublisherVersion('1.0.1'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-02T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+      },
+      '1.0.1',
+    )
+
+    const transformed = transformPackument(packument, '1.0.1')
+
+    expect(transformed.versions['1.0.0']?.trustLevel).toBe('provenance')
+  })
+
+  it('flags non-direct downgrade chain until trust is restored', () => {
+    const packument = createPackument(
+      {
+        '2.1.0': createVersion('2.1.0', true),
+        '2.1.1': createVersion('2.1.1'),
+        '2.2.0': createVersion('2.2.0'),
+        '2.3.0': createVersion('2.3.0'),
+        '2.4.0': createVersion('2.4.0', true),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-05T00:00:00.000Z',
+        '2.1.0': '2026-01-01T00:00:00.000Z',
+        '2.1.1': '2026-01-02T00:00:00.000Z',
+        '2.2.0': '2026-01-03T00:00:00.000Z',
+        '2.3.0': '2026-01-04T00:00:00.000Z',
+        '2.4.0': '2026-01-05T00:00:00.000Z',
+      },
+      '2.4.0',
+    )
+
+    const transformed = transformPackument(packument, '2.3.0')
+    const infos = toVersionInfos(transformed)
+
+    expect(detectPublishSecurityDowngradeForVersion(infos, '2.1.1')?.trustedVersion).toBe('2.1.0')
+    expect(detectPublishSecurityDowngradeForVersion(infos, '2.2.0')?.trustedVersion).toBe('2.1.0')
+    expect(detectPublishSecurityDowngradeForVersion(infos, '2.3.0')?.trustedVersion).toBe('2.1.0')
+    expect(detectPublishSecurityDowngradeForVersion(infos, '2.4.0')).toBeNull()
+  })
 })
diff --git a/test/unit/app/utils/publish-security.spec.ts b/test/unit/app/utils/publish-security.spec.ts
index f44e25521..8812e3d64 100644
--- a/test/unit/app/utils/publish-security.spec.ts
+++ b/test/unit/app/utils/publish-security.spec.ts
@@ -95,4 +95,77 @@ describe('detectPublishSecurityDowngradeForVersion', () => {
       trustedPublishedAt: '2026-01-01T00:00:00.000Z',
     })
   })
+
+  it('flags trust downgrade from provenance to trustedPublisher', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'trustedPublisher',
+        },
+      ],
+      '1.0.1',
+    )
+
+    expect(result).toEqual({
+      downgradedVersion: '1.0.1',
+      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
+      trustedVersion: '1.0.0',
+      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
+    })
+  })
+
+  it('flags ongoing downgraded versions until an upgrade happens', () => {
+    const versions = [
+      {
+        version: '2.1.0',
+        time: '2026-01-01T00:00:00.000Z',
+        hasProvenance: true,
+        trustLevel: 'provenance' as const,
+      },
+      {
+        version: '2.1.1',
+        time: '2026-01-02T00:00:00.000Z',
+        hasProvenance: false,
+        trustLevel: 'none' as const,
+      },
+      {
+        version: '2.2.0',
+        time: '2026-01-03T00:00:00.000Z',
+        hasProvenance: false,
+        trustLevel: 'none' as const,
+      },
+      {
+        version: '2.3.0',
+        time: '2026-01-04T00:00:00.000Z',
+        hasProvenance: false,
+        trustLevel: 'none' as const,
+      },
+      {
+        version: '2.4.0',
+        time: '2026-01-05T00:00:00.000Z',
+        hasProvenance: true,
+        trustLevel: 'provenance' as const,
+      },
+    ]
+
+    expect(detectPublishSecurityDowngradeForVersion(versions, '2.1.1')?.trustedVersion).toBe(
+      '2.1.0',
+    )
+    expect(detectPublishSecurityDowngradeForVersion(versions, '2.2.0')?.trustedVersion).toBe(
+      '2.1.0',
+    )
+    expect(detectPublishSecurityDowngradeForVersion(versions, '2.3.0')?.trustedVersion).toBe(
+      '2.1.0',
+    )
+    expect(detectPublishSecurityDowngradeForVersion(versions, '2.4.0')).toBeNull()
+  })
 })

From e3424a75f6987fb8ae7e948c11e6153790cae786 Mon Sep 17 00:00:00 2001
From: Wojciech Maj <kontakt@wojtekmaj.pl>
Date: Fri, 6 Feb 2026 10:20:14 +0100
Subject: [PATCH 6/6] Cleanup

---
 app/composables/npm/usePackage.ts            | 21 ++++---
 app/pages/package/[...package].vue           |  7 +--
 app/utils/publish-security.ts                | 56 ++++-------------
 test/unit/app/utils/publish-security.spec.ts | 63 +-------------------
 4 files changed, 26 insertions(+), 121 deletions(-)

diff --git a/app/composables/npm/usePackage.ts b/app/composables/npm/usePackage.ts
index f1abf749b..2dfbb9c48 100644
--- a/app/composables/npm/usePackage.ts
+++ b/app/composables/npm/usePackage.ts
@@ -1,23 +1,26 @@
-import type { Packument, SlimPackument, SlimVersion, SlimPackumentVersion } from '#shared/types'
+import type {
+  Packument,
+  SlimPackument,
+  SlimVersion,
+  SlimPackumentVersion,
+  PackumentVersion,
+  PublishTrustLevel,
+} from '#shared/types'
 import { NPM_REGISTRY } from '~/utils/npm/common'
 import { extractInstallScriptsInfo } from '~/utils/install-scripts'
 
 /** Number of recent versions to include in initial payload */
 const RECENT_VERSIONS_COUNT = 5
 
-function hasAttestations(version: Packument['versions'][string]): boolean {
+function hasAttestations(version: PackumentVersion): boolean {
   return Boolean(version.dist.attestations)
 }
 
-function hasTrustedPublisher(version: Packument['versions'][string]): boolean {
+function hasTrustedPublisher(version: PackumentVersion): boolean {
   return Boolean(version._npmUser?.trustedPublisher)
 }
 
-function hasPublishTrustEvidence(version: Packument['versions'][string]): boolean {
-  return hasAttestations(version) || hasTrustedPublisher(version)
-}
-
-function getTrustLevel(version: Packument['versions'][string]): SlimVersion['trustLevel'] {
+function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
   if (hasAttestations(version)) return 'provenance'
   if (hasTrustedPublisher(version)) return 'trustedPublisher'
   return 'none'
@@ -84,8 +87,8 @@ export function transformPackument(
           installScripts: installScripts ?? undefined,
         }
       }
-      const hasProvenance = hasPublishTrustEvidence(version)
       const trustLevel = getTrustLevel(version)
+      const hasProvenance = trustLevel !== 'none'
 
       filteredVersions[v] = {
         hasProvenance,
diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
index 5373e8308..a85fd61c9 100644
--- a/app/pages/package/[...package].vue
+++ b/app/pages/package/[...package].vue
@@ -245,10 +245,9 @@ const publishSecurityDowngrade = computed(() => {
   return detectPublishSecurityDowngradeForVersion(versionSecurityMetadata.value, currentVersion)
 })
 
-const installVersionOverride = computed(() => {
-  if (!publishSecurityDowngrade.value) return null
-  return publishSecurityDowngrade.value.trustedVersion
-})
+const installVersionOverride = computed(
+  () => publishSecurityDowngrade.value?.trustedVersion ?? null,
+)
 
 const sizeTooltip = computed(() => {
   const chunks = [
diff --git a/app/utils/publish-security.ts b/app/utils/publish-security.ts
index 8cf92aac4..74d6420b4 100644
--- a/app/utils/publish-security.ts
+++ b/app/utils/publish-security.ts
@@ -31,59 +31,23 @@ function toTimestamp(time?: string): number {
 }
 
 function sortByRecency(a: VersionWithIndex, b: VersionWithIndex): number {
-  const aValid = Number.isFinite(a.timestamp)
-  const bValid = Number.isFinite(b.timestamp)
+  const aValid = !Number.isNaN(a.timestamp)
+  const bValid = !Number.isNaN(b.timestamp)
 
-  if (aValid && bValid && a.timestamp !== b.timestamp) {
-    return b.timestamp - a.timestamp
+  if (!aValid && !bValid) {
+    // Fall back to semver comparison if no valid timestamps
+    const semverOrder = compare(b.version, a.version)
+    if (semverOrder !== 0) return semverOrder
+
+    // If semver is also equal, maintain original order
+    return a.index - b.index
   }
 
   if (aValid !== bValid) {
     return aValid ? -1 : 1
   }
 
-  const semverOrder = compare(b.version, a.version)
-  if (semverOrder !== 0) return semverOrder
-
-  return a.index - b.index
-}
-
-/**
- * Detects a security downgrade where the newest publish is not trusted,
- * but an older publish was trusted (e.g. OIDC/provenance -> manual publish).
- */
-export function detectPublishSecurityDowngrade(
-  versions: PackageVersionInfo[],
-): PublishSecurityDowngrade | null {
-  if (versions.length < 2) return null
-
-  const sorted = versions
-    .map((version, index) => ({
-      ...version,
-      index,
-      timestamp: toTimestamp(version.time),
-      trustRank: getTrustRank(version),
-    }))
-    .sort(sortByRecency)
-
-  const latest = sorted.at(0)
-  if (!latest) return null
-
-  let strongestOlder: VersionWithIndex | null = null
-  for (const version of sorted.slice(1)) {
-    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
-      strongestOlder = version
-    }
-  }
-
-  if (!strongestOlder || strongestOlder.trustRank <= latest.trustRank) return null
-
-  return {
-    downgradedVersion: latest.version,
-    downgradedPublishedAt: latest.time,
-    trustedVersion: strongestOlder.version,
-    trustedPublishedAt: strongestOlder.time,
-  }
+  return b.timestamp - a.timestamp
 }
 
 /**
diff --git a/test/unit/app/utils/publish-security.spec.ts b/test/unit/app/utils/publish-security.spec.ts
index 8812e3d64..89172e777 100644
--- a/test/unit/app/utils/publish-security.spec.ts
+++ b/test/unit/app/utils/publish-security.spec.ts
@@ -1,66 +1,5 @@
 import { describe, expect, it } from 'vitest'
-import {
-  detectPublishSecurityDowngrade,
-  detectPublishSecurityDowngradeForVersion,
-} from '../../../../app/utils/publish-security'
-
-describe('detectPublishSecurityDowngrade', () => {
-  it('detects downgrade when latest publish is untrusted and older publish is trusted', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: true,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: false,
-      },
-    ])
-
-    expect(result).toEqual({
-      downgradedVersion: '1.0.1',
-      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
-      trustedVersion: '1.0.0',
-      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
-    })
-  })
-
-  it('returns null when latest publish is trusted', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: false,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: true,
-      },
-    ])
-
-    expect(result).toBeNull()
-  })
-
-  it('returns null when there is no trusted historical release', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: false,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: false,
-      },
-    ])
-
-    expect(result).toBeNull()
-  })
-})
+import { detectPublishSecurityDowngradeForVersion } from '../../../../app/utils/publish-security'
 
 describe('detectPublishSecurityDowngradeForVersion', () => {
   const versions = [