Skip to content

feat: set trustPolicy to no-downgrade #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davecardwell wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: set trustPolicy to no-downgrade #5

davecardwell wants to merge 2 commits into from

Conversation

@davecardwell
Copy link

@davecardwell davecardwell commented Nov 15, 2025

pnpm v10.21 adds trustPolicy:

When set to no-downgrade, pnpm will fail installation if a package’s trust level has decreased compared to previous releases — for example, if it was previously published by a trusted publisher but now only has provenance or no trust evidence.
This helps prevent installing potentially compromised versions of a package.

Sounds like a better default to me!

@davecardwell
Default trustProfile to no-downgrade
bca7ff0 
[`pnpm` v10.21](https://github.com/pnpm/pnpm/releases/tag/v10.21.0) adds `trustPolicy`:
> When set to `no-downgrade`, pnpm will fail installation if a package’s trust level has decreased compared to previous releases — for example, if it was previously published by a trusted publisher but now only has provenance or no trust evidence.
> This helps prevent installing potentially compromised versions of a package.

Sounds like a _better default_ to me!
Copilot AI review requested due to automatic review settings November 15, 2025 14:20
@davecardwell davecardwell changed the title Default trustProfile to no-downgrade feat: set trustProfile to no-downgrade Nov 15, 2025
Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds trustPolicy: 'no-downgrade' as a default configuration setting for pnpm, which helps prevent installing potentially compromised package versions by failing installation if a package's trust level decreases. Note: The PR title contains a typo - it mentions trustProfile but the actual configuration name is trustPolicy.

Key Changes:

  • Added trustPolicy: 'no-downgrade' to the default pnpm configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@davecardwell davecardwell changed the title feat: set trustProfile to no-downgrade feat: set trustPolicy to no-downgrade Nov 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davecardwell