mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-06-28 09:55:39 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
37669c200d3fff2db20a032bc092ed7dc797be45
pnpm/resolving/npm-resolver/test/trustChecks.test.ts
James Garbutt 1e9ab2935f feat: support staged publishes in trust scale (#12056) 
Fixes #11887.

Staged publishes now have a signal in the packument: `approver`.

If this is set, the package is more trustworthy than a "trusted publisher" package, since it requires 2FA publish approvals.

## Changes

**pnpm (TypeScript)**
- `getTrustEvidence` recognizes `_npmUser.approver` and classifies it as a new `stagedPublish` trust evidence, ranked above `trustedPublisher` and `provenance`.
- Trust-downgrade detection treats `stagedPublish` as the strongest rank, and the resolution verifier's PII-minimizing metadata projection retains the approver *signal* (without keeping the approver's name/email).

**pacquet (Rust port)**
- Ported the same staged-publish support: an `Approver` registry type, a `StagedPublish` trust evidence (rank 3 — above `TrustedPublisher`/`Provenance`), detection, pretty-printing, and the PII-stripping trust-meta projection.
- Wired `trustPolicy='no-downgrade'` enforcement into the **resolver-time** path, not just the lockfile verifier. Previously pacquet only re-checked entries already in `pnpm-lock.yaml`; fresh resolutions weren't gated. The npm resolver now runs `fail_if_trust_downgraded` on each freshly picked version (full metadata is already forced under this policy), mirroring pnpm's resolver-time `failIfTrustDowngraded` call.
- Ported the matching `trustChecks` tests for full parity with the TypeScript suite (staged-publish classification/downgrade, plus previously-unported `trustedPublisher → none`, no-evidence-anywhere, and exclude + missing-time cases).

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-05-29 12:49:11 +02:00

765 lines
21 KiB
TypeScript
Raw Blame History

import { describe, expect, test } from '@jest/globals'
import { createPackageVersionPolicy } from '@pnpm/config.version-policy'
import type { PackageInRegistry, PackageMetaWithTime } from '@pnpm/resolving.registry.types'
import { failIfTrustDowngraded, getTrustEvidence } from '../src/trustChecks.js'
describe('getTrustEvidence', () => {
test('returns undefined when _npmUser.trustedPublisher exists without provenance', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBeUndefined()
})
test('returns "trustedPublisher" when attestations.provenance also exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
}
expect(getTrustEvidence(manifest)).toBe('trustedPublisher')
})
test('returns true when provenance exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
}
expect(getTrustEvidence(manifest)).toBe('provenance')
})
test('returns undefined when provenance and attestations are undefined', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBeUndefined()
})
test('returns undefined when _npmUser exists but trustedPublisher is undefined', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-user',
email: 'user@example.com',
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBeUndefined()
})
test('returns stagedPublish when approver exists', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-approver',
email: 'user@example.com',
approver: {
name: 'test-approver',
email: 'user@example.com',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
}
expect(getTrustEvidence(manifest)).toBe('stagedPublish')
})
test('returns stagedPublish when both approver and trustedPublisher exist', () => {
const manifest: PackageInRegistry = {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-approver',
email: 'user@example.com',
approver: {
name: 'test-approver',
email: 'user@example.com',
},
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
}
expect(getTrustEvidence(manifest)).toBe('stagedPublish')
})
})
describe('failIfTrustDowngraded', () => {
test('succeeds when no versions have attestation', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0')
}).not.toThrow()
})
test('succeeds for version published before first attested version', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '1.0.0')
}).not.toThrow()
})
test('throws an error when downgrading from provenance to none', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('does not throw an error when only prerelease versions had provenance', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0-0': {
name: 'foo',
version: '2.0.0-0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0-0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0-0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).not.toThrow()
})
test('throws an error when downgrading from trustedPublisher to provenance', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('throws an error when downgrading from trustedPublisher to none', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('throws an error when downgrading from stagedPublish to trustedPublisher', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
_npmUser: {
name: 'test-approver',
email: 'approver@example.com',
approver: {
name: 'test-approver',
email: 'approver@example.com',
},
},
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0')
}).toThrow('High-risk trust downgrade')
})
test('succeeds when maintaining same trust level', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).not.toThrow()
})
test('throws an error when version time is missing', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'foo',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/foo/-/foo-1.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
},
},
},
time: {
'1.0.0': '2025-01-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0')
}).toThrow('Missing time')
})
})
describe('failIfTrustDowngraded with trustPolicyExclude', () => {
test('allows downgrade when package@version is in exclude list', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyExclude: createPackageVersionPolicy(['foo@3.0.0']) })
}).not.toThrow()
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
test('allows downgrade when package name is in exclude list (all versions)', () => {
const meta: PackageMetaWithTime = {
name: 'bar',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'bar',
version: '2.0.0',
_npmUser: {
name: 'test-publisher',
email: 'publisher@example.com',
trustedPublisher: {
id: 'test-provider',
oidcConfigId: 'oidc:test-config-123',
},
},
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/bar/-/bar-2.0.0.tgz',
},
},
'3.0.0': {
name: 'bar',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/bar/-/bar-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyExclude: createPackageVersionPolicy(['bar']) })
}).not.toThrow()
})
test('does not fail with ERR_PNPM_MISSING_TIME when package@version is excluded and time field is missing', () => {
const meta = {
name: 'baz',
'dist-tags': { latest: '1.0.0' },
versions: {
'1.0.0': {
name: 'baz',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/baz/-/baz-1.0.0.tgz',
},
},
},
// Note: no 'time' field
}
expect(() => {
failIfTrustDowngraded(meta, '1.0.0', { trustPolicyExclude: createPackageVersionPolicy(['baz@1.0.0']) })
}).not.toThrow()
})
test('does not fail with ERR_PNPM_MISSING_TIME when package name is excluded and time field is missing', () => {
const meta = {
name: 'qux',
'dist-tags': { latest: '2.0.0' },
versions: {
'1.0.0': {
name: 'qux',
version: '1.0.0',
dist: {
shasum: 'abc123',
tarball: 'https://registry.example.com/qux/-/qux-1.0.0.tgz',
},
},
'2.0.0': {
name: 'qux',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/qux/-/qux-2.0.0.tgz',
},
},
},
// Note: no 'time' field
}
expect(() => {
failIfTrustDowngraded(meta, '2.0.0', { trustPolicyExclude: createPackageVersionPolicy(['qux']) })
}).not.toThrow()
})
})
describe('failIfTrustDowngraded with trustPolicyIgnoreAfter', () => {
test('allows downgrade when version is older than ignoreAfter threshold', () => {
const meta: PackageMetaWithTime = {
name: 'foo',
'dist-tags': { latest: '3.0.0' },
versions: {
'2.0.0': {
name: 'foo',
version: '2.0.0',
dist: {
shasum: 'def456',
tarball: 'https://registry.example.com/foo/-/foo-2.0.0.tgz',
attestations: {
provenance: {
predicateType: 'https://slsa.dev/provenance/v1',
},
},
},
},
'3.0.0': {
name: 'foo',
version: '3.0.0',
dist: {
shasum: 'ghi789',
tarball: 'https://registry.example.com/foo/-/foo-3.0.0.tgz',
},
},
},
time: {
'2.0.0': '2025-02-01T00:00:00.000Z',
'3.0.0': '2025-03-01T00:00:00.000Z',
},
}
expect(() => {
failIfTrustDowngraded(meta, '3.0.0', { trustPolicyIgnoreAfter: 60 * 24 * 30 }) // 30 days
}).not.toThrow()
expect(() => {
failIfTrustDowngraded(meta, '3.0.0')
}).toThrow('High-risk trust downgrade')
})
})
Reference in New Issue View Git Blame Copy Permalink