pnpm/.changeset/violet-spiders-write.md at main

mirror of https://github.com/pnpm/pnpm.git synced 2025-12-23 23:29:17 -05:00

Files

Ryo Matsukawa 10bc39152e feat: add support for npm package trust evidence check via a new trustPolicy setting (#10103 )

close #8889

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>

2025-11-09 23:23:58 +01:00

454 B

Raw Permalink Blame History

pnpm

pnpm
minor

Added a new setting: trustPolicy.

When set to no-downgrade, pnpm will fail installation if a package’s trust level has decreased compared to previous releases — for example, if it was previously published by a trusted publisher but now only has provenance or no trust evidence. This helps prevent installing potentially compromised versions of a package.

Related issue: #8889.

454 B Raw Permalink Blame History Unescape Escape

454 B

Raw Permalink Blame History