Support for trusted publisher

Author: wojtekmaj

app/composables/npm/usePackage.ts

@@ -5,6 +5,24 @@ import { extractInstallScriptsInfo } from '~/utils/install-scripts'
 /** Number of recent versions to include in initial payload */
 const RECENT_VERSIONS_COUNT = 5
 
+function hasAttestations(version: Packument['versions'][string]): boolean {
+  return Boolean(version.dist.attestations)
+}
+
+function hasTrustedPublisher(version: Packument['versions'][string]): boolean {
+  return Boolean(version._npmUser?.trustedPublisher)
+}
+
+function hasPublishTrustEvidence(version: Packument['versions'][string]): boolean {
+  return hasAttestations(version) || hasTrustedPublisher(version)
+}
+
+function getTrustLevel(version: Packument['versions'][string]): SlimVersion['trustLevel'] {
+  if (hasAttestations(version)) return 'provenance'
+  if (hasTrustedPublisher(version)) return 'trustedPublisher'
+  return 'none'
+}
+
 /**
  * Transform a full Packument into a slimmed version for client-side use.
  * Reduces payload size by:
@@ -38,6 +56,17 @@ export function transformPackument(
     includedVersions.add(requestedVersion)
   }
 
+  const securityVersions = Object.entries(pkg.versions).map(([version, metadata]) => {
+    const trustLevel = getTrustLevel(metadata)
+    return {
+      version,
+      time: pkg.time[version],
+      hasProvenance: trustLevel !== 'none',
+      trustLevel,
+      deprecated: metadata.deprecated,
+    }
+  })
+
   // Build filtered versions object with install scripts info per version
   const filteredVersions: Record<string, SlimVersion> = {}
   let versionData: SlimPackumentVersion | null = null
@@ -55,10 +84,12 @@ export function transformPackument(
           installScripts: installScripts ?? undefined,
         }
       }
+      const hasProvenance = hasPublishTrustEvidence(version)
+      const trustLevel = getTrustLevel(version)
+
       filteredVersions[v] = {
-        ...((version?.dist as { attestations?: unknown } | undefined)?.attestations
-          ? { hasProvenance: true }
-          : {}),
+        hasProvenance,
+        trustLevel,
         version: version.version,
         deprecated: version.deprecated,
         tags: version.tags as string[],
@@ -96,6 +127,7 @@ export function transformPackument(
     'bugs': pkg.bugs,
     'requestedVersion': versionData,
     'versions': filteredVersions,
+    'securityVersions': securityVersions,
   }
 }
 

app/pages/package/[...package].vue

@@ -147,11 +147,13 @@ const {
 const displayVersion = computed(() => pkg.value?.requestedVersion ?? null)
 const versionSecurityMetadata = computed<PackageVersionInfo[]>(() => {
   if (!pkg.value) return []
+  if (pkg.value.securityVersions?.length) return pkg.value.securityVersions
 
   return Object.entries(pkg.value.versions).map(([version, metadata]) => ({
     version,
     time: pkg.value?.time?.[version],
     hasProvenance: !!metadata.hasProvenance,
+    trustLevel: metadata.trustLevel,
     deprecated: metadata.deprecated,
   }))
 })

app/utils/publish-security.ts

@@ -1,4 +1,4 @@
-import type { PackageVersionInfo } from '#shared/types'
+import type { PackageVersionInfo, PublishTrustLevel } from '#shared/types'
 import { compare } from 'semver'
 
 export interface PublishSecurityDowngrade {
@@ -11,6 +11,18 @@ export interface PublishSecurityDowngrade {
 type VersionWithIndex = PackageVersionInfo & {
   index: number
   timestamp: number
+  trustRank: number
+}
+
+const TRUST_RANK: Record<PublishTrustLevel, number> = {
+  none: 0,
+  trustedPublisher: 1,
+  provenance: 2,
+}
+
+function getTrustRank(version: PackageVersionInfo): number {
+  if (version.trustLevel) return TRUST_RANK[version.trustLevel]
+  return version.hasProvenance ? TRUST_RANK.provenance : TRUST_RANK.none
 }
 
 function toTimestamp(time?: string): number {
@@ -50,20 +62,27 @@ export function detectPublishSecurityDowngrade(
       ...version,
       index,
       timestamp: toTimestamp(version.time),
+      trustRank: getTrustRank(version),
     }))
     .sort(sortByRecency)
 
   const latest = sorted.at(0)
-  if (!latest || latest.hasProvenance) return null
+  if (!latest) return null
 
-  const latestTrusted = sorted.find(version => version.hasProvenance)
-  if (!latestTrusted) return null
+  let strongestOlder: VersionWithIndex | null = null
+  for (const version of sorted.slice(1)) {
+    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
+      strongestOlder = version
+    }
+  }
+
+  if (!strongestOlder || strongestOlder.trustRank <= latest.trustRank) return null
 
   return {
     downgradedVersion: latest.version,
     downgradedPublishedAt: latest.time,
-    trustedVersion: latestTrusted.version,
-    trustedPublishedAt: latestTrusted.time,
+    trustedVersion: strongestOlder.version,
+    trustedPublishedAt: strongestOlder.time,
   }
 }
 
@@ -83,22 +102,29 @@ export function detectPublishSecurityDowngradeForVersion(
       ...version,
       index,
       timestamp: toTimestamp(version.time),
+      trustRank: getTrustRank(version),
     }))
     .sort(sortByRecency)
 
   const currentIndex = sorted.findIndex(version => version.version === viewedVersion)
   if (currentIndex === -1) return null
 
   const current = sorted.at(currentIndex)
-  if (!current || current.hasProvenance) return null
+  if (!current) return null
+
+  let strongestOlder: VersionWithIndex | null = null
+  for (const version of sorted.slice(currentIndex + 1)) {
+    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
+      strongestOlder = version
+    }
+  }
 
-  const trustedOlder = sorted.slice(currentIndex + 1).find(version => version.hasProvenance)
-  if (!trustedOlder) return null
+  if (!strongestOlder || strongestOlder.trustRank <= current.trustRank) return null
 
   return {
     downgradedVersion: current.version,
     downgradedPublishedAt: current.time,
-    trustedVersion: trustedOlder.version,
-    trustedPublishedAt: trustedOlder.time,
+    trustedVersion: strongestOlder.version,
+    trustedPublishedAt: strongestOlder.time,
   }
 }

shared/types/npm-registry.ts

@@ -6,16 +6,28 @@
  * @see https://github.com/npm/registry/blob/main/docs/REGISTRY-API.md
  */
 
-import type { Packument as PackumentWithoutLicenseObjects, PackumentVersion } from '@npm/types'
+import type {
+  Packument as PackumentWithoutLicenseObjects,
+  PackumentVersion as PackumentVersionWithoutAttestations,
+  Contact,
+} from '@npm/types'
 import type { ReadmeResponse } from './readme'
 
 // Re-export official npm types for packument/manifest
-export type { PackumentVersion, Manifest, ManifestVersion, PackageJSON } from '@npm/types'
+export type { Manifest, ManifestVersion, PackageJSON } from '@npm/types'
 
-// TODO: Remove this type override when @npm/types fixes the license field typing
-export type Packument = Omit<PackumentWithoutLicenseObjects, 'license'> & {
+type NpmTrustedPublisherEvidence = NpmSearchTrustedPublisher | NpmTrustedPublisher | true
+
+export interface PackumentVersion extends PackumentVersionWithoutAttestations {
+  _npmUser?: Contact & { trustedPublisher?: NpmTrustedPublisherEvidence }
+  dist: PackumentVersionWithoutAttestations['dist'] & { attestations?: NpmVersionAttestations }
+}
+
+export type Packument = Omit<PackumentWithoutLicenseObjects, 'license' | 'versions'> & {
   // Fix for license field being incorrectly typed in @npm/types
+  // TODO: Remove this type override when @npm/types fixes the license field typing
   license?: string | { type: string; url?: string }
+  versions: Record<string, PackumentVersion>
 }
 
 /** Install scripts info (preinstall, install, postinstall) */
@@ -30,8 +42,11 @@ export type SlimPackumentVersion = PackumentVersion & {
   installScripts?: InstallScriptsInfo
 }
 
+export type PublishTrustLevel = 'none' | 'trustedPublisher' | 'provenance'
+
 export type SlimVersion = Pick<SlimPackumentVersion, 'version' | 'deprecated' | 'tags'> & {
-  hasProvenance?: true
+  hasProvenance?: boolean
+  trustLevel?: PublishTrustLevel
 }
 
 /**
@@ -72,6 +87,8 @@ export interface SlimPackument {
   'requestedVersion': SlimPackumentVersion | null
   /** Only includes dist-tag versions (with installScripts info added per version) */
   'versions': Record<string, SlimVersion>
+  /** Lightweight security metadata for all versions */
+  'securityVersions'?: PackageVersionInfo[]
 }
 
 /**
@@ -81,6 +98,7 @@ export interface PackageVersionInfo {
   version: string
   time?: string
   hasProvenance: boolean
+  trustLevel?: PublishTrustLevel
   deprecated?: string
 }