Cleanup

wojtekmaj · wojtekmaj · commit e3424a75f698 · 2026-02-06T10:20:14.000+01:00
diff --git a/app/composables/npm/usePackage.ts b/app/composables/npm/usePackage.ts
@@ -1,23 +1,26 @@
-import type { Packument, SlimPackument, SlimVersion, SlimPackumentVersion } from '#shared/types'
+import type {
+  Packument,
+  SlimPackument,
+  SlimVersion,
+  SlimPackumentVersion,
+  PackumentVersion,
+  PublishTrustLevel,
+} from '#shared/types'
 import { NPM_REGISTRY } from '~/utils/npm/common'
 import { extractInstallScriptsInfo } from '~/utils/install-scripts'
 
 /** Number of recent versions to include in initial payload */
 const RECENT_VERSIONS_COUNT = 5
 
-function hasAttestations(version: Packument['versions'][string]): boolean {
+function hasAttestations(version: PackumentVersion): boolean {
   return Boolean(version.dist.attestations)
 }
 
-function hasTrustedPublisher(version: Packument['versions'][string]): boolean {
+function hasTrustedPublisher(version: PackumentVersion): boolean {
   return Boolean(version._npmUser?.trustedPublisher)
 }
 
-function hasPublishTrustEvidence(version: Packument['versions'][string]): boolean {
-  return hasAttestations(version) || hasTrustedPublisher(version)
-}
-
-function getTrustLevel(version: Packument['versions'][string]): SlimVersion['trustLevel'] {
+function getTrustLevel(version: PackumentVersion): PublishTrustLevel {
   if (hasAttestations(version)) return 'provenance'
   if (hasTrustedPublisher(version)) return 'trustedPublisher'
   return 'none'
@@ -84,8 +87,8 @@ export function transformPackument(
           installScripts: installScripts ?? undefined,
         }
       }
-      const hasProvenance = hasPublishTrustEvidence(version)
       const trustLevel = getTrustLevel(version)
+      const hasProvenance = trustLevel !== 'none'
 
       filteredVersions[v] = {
         hasProvenance,
diff --git a/app/pages/package/[...package].vue b/app/pages/package/[...package].vue
@@ -245,10 +245,9 @@ const publishSecurityDowngrade = computed(() => {
   return detectPublishSecurityDowngradeForVersion(versionSecurityMetadata.value, currentVersion)
 })
 
-const installVersionOverride = computed(() => {
-  if (!publishSecurityDowngrade.value) return null
-  return publishSecurityDowngrade.value.trustedVersion
-})
+const installVersionOverride = computed(
+  () => publishSecurityDowngrade.value?.trustedVersion ?? null,
+)
 
 const sizeTooltip = computed(() => {
   const chunks = [
diff --git a/app/utils/publish-security.ts b/app/utils/publish-security.ts
@@ -31,59 +31,23 @@ function toTimestamp(time?: string): number {
 }
 
 function sortByRecency(a: VersionWithIndex, b: VersionWithIndex): number {
-  const aValid = Number.isFinite(a.timestamp)
-  const bValid = Number.isFinite(b.timestamp)
+  const aValid = !Number.isNaN(a.timestamp)
+  const bValid = !Number.isNaN(b.timestamp)
 
-  if (aValid && bValid && a.timestamp !== b.timestamp) {
-    return b.timestamp - a.timestamp
+  if (!aValid && !bValid) {
+    // Fall back to semver comparison if no valid timestamps
+    const semverOrder = compare(b.version, a.version)
+    if (semverOrder !== 0) return semverOrder
+
+    // If semver is also equal, maintain original order
+    return a.index - b.index
   }
 
   if (aValid !== bValid) {
     return aValid ? -1 : 1
   }
 
-  const semverOrder = compare(b.version, a.version)
-  if (semverOrder !== 0) return semverOrder
-
-  return a.index - b.index
-}
-
-/**
- * Detects a security downgrade where the newest publish is not trusted,
- * but an older publish was trusted (e.g. OIDC/provenance -> manual publish).
- */
-export function detectPublishSecurityDowngrade(
-  versions: PackageVersionInfo[],
-): PublishSecurityDowngrade | null {
-  if (versions.length < 2) return null
-
-  const sorted = versions
-    .map((version, index) => ({
-      ...version,
-      index,
-      timestamp: toTimestamp(version.time),
-      trustRank: getTrustRank(version),
-    }))
-    .sort(sortByRecency)
-
-  const latest = sorted.at(0)
-  if (!latest) return null
-
-  let strongestOlder: VersionWithIndex | null = null
-  for (const version of sorted.slice(1)) {
-    if (!strongestOlder || version.trustRank > strongestOlder.trustRank) {
-      strongestOlder = version
-    }
-  }
-
-  if (!strongestOlder || strongestOlder.trustRank <= latest.trustRank) return null
-
-  return {
-    downgradedVersion: latest.version,
-    downgradedPublishedAt: latest.time,
-    trustedVersion: strongestOlder.version,
-    trustedPublishedAt: strongestOlder.time,
-  }
+  return b.timestamp - a.timestamp
 }
 
 /**
diff --git a/test/unit/app/utils/publish-security.spec.ts b/test/unit/app/utils/publish-security.spec.ts
@@ -1,66 +1,5 @@
 import { describe, expect, it } from 'vitest'
-import {
-  detectPublishSecurityDowngrade,
-  detectPublishSecurityDowngradeForVersion,
-} from '../../../../app/utils/publish-security'
-
-describe('detectPublishSecurityDowngrade', () => {
-  it('detects downgrade when latest publish is untrusted and older publish is trusted', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: true,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: false,
-      },
-    ])
-
-    expect(result).toEqual({
-      downgradedVersion: '1.0.1',
-      downgradedPublishedAt: '2026-01-02T00:00:00.000Z',
-      trustedVersion: '1.0.0',
-      trustedPublishedAt: '2026-01-01T00:00:00.000Z',
-    })
-  })
-
-  it('returns null when latest publish is trusted', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: false,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: true,
-      },
-    ])
-
-    expect(result).toBeNull()
-  })
-
-  it('returns null when there is no trusted historical release', () => {
-    const result = detectPublishSecurityDowngrade([
-      {
-        version: '1.0.0',
-        time: '2026-01-01T00:00:00.000Z',
-        hasProvenance: false,
-      },
-      {
-        version: '1.0.1',
-        time: '2026-01-02T00:00:00.000Z',
-        hasProvenance: false,
-      },
-    ])
-
-    expect(result).toBeNull()
-  })
-})
+import { detectPublishSecurityDowngradeForVersion } from '../../../../app/utils/publish-security'
 
 describe('detectPublishSecurityDowngradeForVersion', () => {
   const versions = [
