fix: improve the error messages related to trustPolicy mismatch (#10203)

--------- Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-04-03 15:01:48 -04:00 · 2025-11-22 09:35:19 +08:00
parent 8695e49dc2
commit 287712d833
2 changed files with 8 additions and 1 deletions
--- a/.changeset/public-feet-hide.md
+++ b/.changeset/public-feet-hide.md
@@ -0,0 +1,5 @@
+---
+"@pnpm/npm-resolver": patch
+---
+
+Improve the error messages related to `trustPolicy` mismatch.
--- a/resolving/npm-resolver/src/trustChecks.ts
+++ b/resolving/npm-resolver/src/trustChecks.ts
@@ -52,7 +52,9 @@ export function failIfTrustDowngraded (
      'TRUST_DOWNGRADE',
      `High-risk trust downgrade for "${meta.name}@${version}" (possible package takeover)`,
      {
-        hint: `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
+        hint: 'Trust checks are based solely on publish date, not semver. ' +
+          'A package cannot be installed if any earlier-published version had stronger trust evidence. ' +
+          `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
          `but this version has ${prettyPrintTrustEvidence(currentTrustEvidence)}. ` +
          'A trust downgrade may indicate a supply chain incident.',
      }