undici-types@6 published without provenance

[dominikg]

latest versions of undici-types@6 have been published without provenance, after it was published with provenance before. This loss of provenance is causing an error when using pnpms new trustPolicy no-downgrade option.

https://www.npmjs.com/package/undici-types?activeTab=versions https://github.com/pnpm/pnpm/issues/8889#issuecomment-3510609448

 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "[email protected]" (possible package takeover)

This error happened while installing the dependencies of @types/[email protected]

(happened when running pnpm dedupe)

sidenote: [email protected] exists, but no matching undici-types version.

[metcoder95]

v6 is not longer under active maintenance, please consider to move to v7.

cc: @mcollina

[dominikg]

it's a dependency of @types/node@22 so moving to 7 isn't an option i think.

Also would like to understand how undici v6 isn't actively maintained if its still used by node22 and the last release was a month ago.

pnpm 10.22 added an option to ignore loss of provenance for specific versions so it can be worked around by users now.

I hope you still look into how this occured and restore provenance in future releases. If the signature isn't reliable, then it loses it's value.

[mcollina]

v6 is in maintenance.

Maintaining this level of automation requires a significant amount of work that a few trusted individuals must do. Considering that we release very few versions of v6, the chances are that the automation will be broken by the time we need it, or it will not be particularly trustworthy.

The fact that pnpm shipped this change publicly and started pushing for it is their choice. This was not a requirement when the last release of v6 was made.

[tats-u]

If so how/why were you able to publish 6.13.0–6.19.2 with provenance? What is the difference? All you should do is just to publish the same content as 6.21.0 following the workflow in 6.13.0–6.19.2 or 7.1.0+.