fix: handle cross-major downgrades, minimise payload, add tests

Author: danielroe

app/composables/npm/usePackage.ts

@@ -59,7 +59,9 @@ export function transformPackument(
     includedVersions.add(requestedVersion)
   }
 
-  const securityVersions = Object.entries(pkg.versions).map(([version, metadata]) => {
+  // Build security metadata for all versions, but only include in payload
+  // when the package has mixed trust levels (i.e. a downgrade could exist)
+  const securityVersionEntries = Object.entries(pkg.versions).map(([version, metadata]) => {
     const trustLevel = getTrustLevel(metadata)
     return {
       version,
@@ -70,6 +72,10 @@ export function transformPackument(
     }
   })
 
+  const trustLevels = new Set(securityVersionEntries.map(v => v.trustLevel))
+  const hasMixedTrust = trustLevels.size > 1
+  const securityVersions = hasMixedTrust ? securityVersionEntries : undefined
+
   // Build filtered versions object with install scripts info per version
   const filteredVersions: Record<string, SlimVersion> = {}
   let versionData: SlimPackumentVersion | null = null

app/pages/package/[...package].vue

@@ -1124,7 +1124,7 @@ onKeyStroke(
             <p class="mt-2 mb-0 text-sm">
               {{ $t('package.security_downgrade.description') }}
             </p>
-            <p class="mt-2 mb-0 text-sm">
+            <p v-if="publishSecurityDowngrade.trustedVersion" class="mt-2 mb-0 text-sm">
               {{
                 $t('package.security_downgrade.fallback_install', {
                   version: publishSecurityDowngrade.trustedVersion,

app/utils/publish-security.ts

@@ -1,10 +1,11 @@
 import type { PackageVersionInfo, PublishTrustLevel } from '#shared/types'
-import { compare } from 'semver'
+import { compare, major } from 'semver'
 
 export interface PublishSecurityDowngrade {
   downgradedVersion: string
   downgradedPublishedAt?: string
-  trustedVersion: string
+  /** Recommended trusted version within the same major, if one exists */
+  trustedVersion?: string
   trustedPublishedAt?: string
 }
 
@@ -22,7 +23,9 @@ const TRUST_RANK: Record<PublishTrustLevel, number> = {
 
 function getTrustRank(version: PackageVersionInfo): number {
   if (version.trustLevel) return TRUST_RANK[version.trustLevel]
-  return version.hasProvenance ? TRUST_RANK.provenance : TRUST_RANK.none
+  // Fallback for legacy data: hasProvenance only indicates non-'none' trust,
+  // so map it to trustedPublisher (the lower rank) to avoid over-ranking
+  return version.hasProvenance ? TRUST_RANK.trustedPublisher : TRUST_RANK.none
 }
 
 function toTimestamp(time?: string): number {
@@ -73,22 +76,39 @@ export function detectPublishSecurityDowngradeForVersion(
   const currentIndex = sorted.findIndex(version => version.version === viewedVersion)
   if (currentIndex === -1) return null
 
-  const current = sorted.at(currentIndex)
+  const current = sorted[currentIndex]
   if (!current) return null
 
-  let strongestOlder: VersionWithIndex | null = null
+  const currentMajor = major(current.version)
+
+  // Find the strongest older version across all majors (for detection)
+  // and the strongest within the same major (for recommendation)
+  let strongestOlderAny: VersionWithIndex | null = null
+  let strongestOlderSameMajor: VersionWithIndex | null = null
   for (const version of sorted.slice(currentIndex + 1)) {
-    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
-      strongestOlder = version
+    // Skip deprecated versions — recommending a deprecated version is misleading
+    if (version.deprecated) continue
+    if (!strongestOlderAny || version.trustRank > strongestOlderAny.trustRank) {
+      strongestOlderAny = version
+    }
+    if (major(version.version) === currentMajor) {
+      if (!strongestOlderSameMajor || version.trustRank > strongestOlderSameMajor.trustRank) {
+        strongestOlderSameMajor = version
+      }
     }
   }
 
+  // Use same-major for recommendation if available, otherwise any-major for detection only
+  const strongestOlder = strongestOlderSameMajor ?? strongestOlderAny
   if (!strongestOlder || strongestOlder.trustRank <= current.trustRank) return null
 
+  // Only recommend a specific version if it's in the same major
+  const recommendation = strongestOlderSameMajor
+
   return {
     downgradedVersion: current.version,
     downgradedPublishedAt: current.time,
-    trustedVersion: strongestOlder.version,
-    trustedPublishedAt: strongestOlder.time,
+    trustedVersion: recommendation?.version,
+    trustedPublishedAt: recommendation?.time,
   }
 }

test/nuxt/composables/use-package-transform.spec.ts

@@ -115,6 +115,49 @@ describe('transformPackument', () => {
     expect(transformed.securityVersions).toHaveLength(8)
   })
 
+  it('omits securityVersions when all versions have the same trust level', () => {
+    const packument = createPackument(
+      {
+        '1.0.0': createVersion('1.0.0'),
+        '1.0.1': createVersion('1.0.1'),
+        '1.0.2': createVersion('1.0.2'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-03T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+        '1.0.2': '2026-01-03T00:00:00.000Z',
+      },
+      '1.0.2',
+    )
+
+    const transformed = transformPackument(packument, '1.0.2')
+
+    // All versions have trustLevel 'none', so no mixed trust — omit the array
+    expect(transformed.securityVersions).toBeUndefined()
+  })
+
+  it('includes securityVersions when package has mixed trust levels', () => {
+    const packument = createPackument(
+      {
+        '1.0.0': createVersion('1.0.0', true),
+        '1.0.1': createVersion('1.0.1'),
+      },
+      {
+        'created': '2026-01-01T00:00:00.000Z',
+        'modified': '2026-01-02T00:00:00.000Z',
+        '1.0.0': '2026-01-01T00:00:00.000Z',
+        '1.0.1': '2026-01-02T00:00:00.000Z',
+      },
+      '1.0.1',
+    )
+
+    const transformed = transformPackument(packument, '1.0.1')
+
+    expect(transformed.securityVersions).toHaveLength(2)
+  })
+
   it('works with downgrade detection for viewed version', () => {
     const packument = createPackument(
       {

test/unit/app/utils/publish-security.spec.ts

@@ -107,4 +107,138 @@ describe('detectPublishSecurityDowngradeForVersion', () => {
     )
     expect(detectPublishSecurityDowngradeForVersion(versions, '2.4.0')).toBeNull()
   })
+
+  it('skips deprecated versions when selecting trustedVersion', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+          deprecated: 'Use 1.0.2 instead',
+        },
+        {
+          version: '1.0.2',
+          time: '2026-01-03T00:00:00.000Z',
+          hasProvenance: false,
+          trustLevel: 'none',
+        },
+      ],
+      '1.0.2',
+    )
+
+    // Should recommend 1.0.0 (not 1.0.1 which is deprecated)
+    expect(result?.trustedVersion).toBe('1.0.0')
+  })
+
+  it('returns null when all older trusted versions are deprecated', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+          deprecated: 'Deprecated',
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: false,
+          trustLevel: 'none',
+        },
+      ],
+      '1.0.1',
+    )
+
+    expect(result).toBeNull()
+  })
+
+  it('detects cross-major downgrade but does not recommend a version', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '2.0.0',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: false,
+          trustLevel: 'none',
+        },
+      ],
+      '2.0.0',
+    )
+
+    // Downgrade is detected (v1.0.0 was trusted, v2.0.0 is not)
+    expect(result).not.toBeNull()
+    expect(result?.downgradedVersion).toBe('2.0.0')
+    // But no trustedVersion recommendation since v1.0.0 is a different major
+    expect(result?.trustedVersion).toBeUndefined()
+  })
+
+  it('recommends same-major trusted version when cross-major exists', () => {
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '2.0.0',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'provenance',
+        },
+        {
+          version: '2.1.0',
+          time: '2026-01-03T00:00:00.000Z',
+          hasProvenance: false,
+          trustLevel: 'none',
+        },
+      ],
+      '2.1.0',
+    )
+
+    // Should recommend 2.0.0 (same major), not 1.0.0
+    expect(result?.trustedVersion).toBe('2.0.0')
+  })
+
+  it('uses trustedPublisher rank (not provenance) for hasProvenance fallback without trustLevel', () => {
+    // When trustLevel is absent, hasProvenance: true should map to trustedPublisher rank,
+    // not provenance rank. This means a version with only hasProvenance: true should NOT
+    // be considered a downgrade from trustedPublisher.
+    const result = detectPublishSecurityDowngradeForVersion(
+      [
+        {
+          version: '1.0.0',
+          time: '2026-01-01T00:00:00.000Z',
+          hasProvenance: true,
+          // no trustLevel — fallback path
+        },
+        {
+          version: '1.0.1',
+          time: '2026-01-02T00:00:00.000Z',
+          hasProvenance: true,
+          trustLevel: 'trustedPublisher',
+        },
+      ],
+      '1.0.1',
+    )
+
+    // Both should be treated as trustedPublisher rank, so no downgrade
+    expect(result).toBeNull()
+  })
 })