fix: packages w/ both provenance + trusted publishing -> trustedPublisher (#1302)

Author: danielroe

app/composables/npm/usePackage.ts

@@ -20,8 +20,9 @@ function hasTrustedPublisher(version: PackumentVersion): boolean {
 }
 
 function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
-  if (hasAttestations(version)) return 'provenance'
+  // trusted publishing automatically generates provenance attestations
   if (hasTrustedPublisher(version)) return 'trustedPublisher'
+  if (hasAttestations(version)) return 'provenance'
   return 'none'
 }
 

app/pages/package/[[org]]/[name].vue

@@ -1099,7 +1099,7 @@ onKeyStroke(
               >
                 <template #trustedPublishing>
                   <a
-                    href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
+                    href="https://docs.npmjs.com/trusted-publishers"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"
@@ -1129,7 +1129,7 @@ onKeyStroke(
                 </template>
                 <template #trustedPublishing>
                   <a
-                    href="https://docs.npmjs.com/adding-a-trusted-publisher-to-a-package"
+                    href="https://docs.npmjs.com/trusted-publishers"
                     target="_blank"
                     rel="noopener noreferrer"
                     class="inline-flex items-center gap-1 rounded-sm underline underline-offset-4 decoration-amber-600/60 dark:decoration-amber-400/50 hover:decoration-fg focus-visible:decoration-fg focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-accent/70 transition-colors"

test/nuxt/composables/use-package-transform.spec.ts

@@ -213,7 +213,7 @@ describe('transformPackument', () => {
     expect(detectPublishSecurityDowngradeForVersion(infos, '1.0.1')?.trustedVersion).toBe('1.0.0')
   })
 
-  it('prefers provenance trust level when both trustedPublisher and attestations exist', () => {
+  it('prefers trustedPublisher trust level when both trustedPublisher and attestations exist', () => {
     const packument = createPackument(
       {
         '1.0.0': createTrustedPublisherWithAttestationsVersion('1.0.0'),
@@ -230,7 +230,34 @@ describe('transformPackument', () => {
 
     const transformed = transformPackument(packument, '1.0.1')
 
-    expect(transformed.versions['1.0.0']?.trustLevel).toBe('provenance')
+    expect(transformed.versions['1.0.0']?.trustLevel).toBe('trustedPublisher')
+  })
+
+  // https://github.com/npmx-dev/npmx.dev/issues/1292
+  it('does not flag false downgrade when trusted publisher version also has attestations', () => {
+    // Trusted publishing automatically generates provenance attestations,
+    // so a version with both should be classified as trustedPublisher, not provenance.
+    const packument = createPackument(
+      {
+        '7.0.0': createTrustedPublisherWithAttestationsVersion('7.0.0'),
+        '7.0.1': createTrustedPublisherWithAttestationsVersion('7.0.1'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-02T00:00:00.000Z',
+        '7.0.0': '2026-01-01T00:00:00.000Z',
+        '7.0.1': '2026-01-02T00:00:00.000Z',
+      },
+      '7.0.1',
+    )
+
+    const transformed = transformPackument(packument, '7.0.1')
+    const infos = toVersionInfos(transformed)
+
+    // Both versions should be trustedPublisher — no downgrade
+    expect(infos.find(v => v.version === '7.0.0')?.trustLevel).toBe('trustedPublisher')
+    expect(infos.find(v => v.version === '7.0.1')?.trustLevel).toBe('trustedPublisher')
+    expect(detectPublishSecurityDowngradeForVersion(infos, '7.0.1')).toBeNull()
   })
 
   it('flags non-direct downgrade chain until trust is restored', () => {