@@ -31,59 +31,23 @@ function toTimestamp(time?: string): number {
3131}
3232
3333function sortByRecency ( a : VersionWithIndex , b : VersionWithIndex ) : number {
34- const aValid = Number . isFinite ( a . timestamp )
35- const bValid = Number . isFinite ( b . timestamp )
34+ const aValid = ! Number . isNaN ( a . timestamp )
35+ const bValid = ! Number . isNaN ( b . timestamp )
3636
37- if ( aValid && bValid && a . timestamp !== b . timestamp ) {
38- return b . timestamp - a . timestamp
37+ if ( ! aValid && ! bValid ) {
38+ // Fall back to semver comparison if no valid timestamps
39+ const semverOrder = compare ( b . version , a . version )
40+ if ( semverOrder !== 0 ) return semverOrder
41+
42+ // If semver is also equal, maintain original order
43+ return a . index - b . index
3944 }
4045
4146 if ( aValid !== bValid ) {
4247 return aValid ? - 1 : 1
4348 }
4449
45- const semverOrder = compare ( b . version , a . version )
46- if ( semverOrder !== 0 ) return semverOrder
47-
48- return a . index - b . index
49- }
50-
51- /**
52- * Detects a security downgrade where the newest publish is not trusted,
53- * but an older publish was trusted (e.g. OIDC/provenance -> manual publish).
54- */
55- export function detectPublishSecurityDowngrade (
56- versions : PackageVersionInfo [ ] ,
57- ) : PublishSecurityDowngrade | null {
58- if ( versions . length < 2 ) return null
59-
60- const sorted = versions
61- . map ( ( version , index ) => ( {
62- ...version ,
63- index,
64- timestamp : toTimestamp ( version . time ) ,
65- trustRank : getTrustRank ( version ) ,
66- } ) )
67- . sort ( sortByRecency )
68-
69- const latest = sorted . at ( 0 )
70- if ( ! latest ) return null
71-
72- let strongestOlder : VersionWithIndex | null = null
73- for ( const version of sorted . slice ( 1 ) ) {
74- if ( ! strongestOlder || version . trustRank > strongestOlder . trustRank ) {
75- strongestOlder = version
76- }
77- }
78-
79- if ( ! strongestOlder || strongestOlder . trustRank <= latest . trustRank ) return null
80-
81- return {
82- downgradedVersion : latest . version ,
83- downgradedPublishedAt : latest . time ,
84- trustedVersion : strongestOlder . version ,
85- trustedPublishedAt : strongestOlder . time ,
86- }
50+ return b . timestamp - a . timestamp
8751}
8852
8953/**
0 commit comments