From 287712d833f1281d2aa6ad9d5887073af27aa99d Mon Sep 17 00:00:00 2001
From: btea <2356281422@qq.com>
Date: Sat, 22 Nov 2025 09:35:19 +0800
Subject: [PATCH] fix: improve the error messages related to `trustPolicy`
 mismatch (#10203)

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
---
 .changeset/public-feet-hide.md            | 5 +++++
 resolving/npm-resolver/src/trustChecks.ts | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/public-feet-hide.md

diff --git a/.changeset/public-feet-hide.md b/.changeset/public-feet-hide.md
new file mode 100644
index 0000000000..ef8c7556c3
--- /dev/null
+++ b/.changeset/public-feet-hide.md
@@ -0,0 +1,5 @@
+---
+"@pnpm/npm-resolver": patch
+---
+
+Improve the error messages related to `trustPolicy` mismatch.
diff --git a/resolving/npm-resolver/src/trustChecks.ts b/resolving/npm-resolver/src/trustChecks.ts
index 3b9fdaeb5f..9416e409c7 100644
--- a/resolving/npm-resolver/src/trustChecks.ts
+++ b/resolving/npm-resolver/src/trustChecks.ts
@@ -52,7 +52,9 @@ export function failIfTrustDowngraded (
       'TRUST_DOWNGRADE',
       `High-risk trust downgrade for "${meta.name}@${version}" (possible package takeover)`,
       {
-        hint: `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
+        hint: 'Trust checks are based solely on publish date, not semver. ' +
+          'A package cannot be installed if any earlier-published version had stronger trust evidence. ' +
+          `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
           `but this version has ${prettyPrintTrustEvidence(currentTrustEvidence)}. ` +
           'A trust downgrade may indicate a supply chain incident.',
       }