Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

11.x

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

N/A

Reproduction steps

Install [email protected]

minimumReleaseAge: 0
trustPolicy: no-downgrade

Describe the Bug

trustPolicy: no-downgrade appears to determine whether a package version was published with trusted publishing by checking the npm package metadata field _npmUser.

However, after npm introduced staged publishing, _npmUser may refer to the npm user who approved the staged publish, rather than reflecting whether the package was originally published via trusted publishing.

As a result, packages that use trusted publishing can trigger a no-downgrade warning/error merely because staged publishing is enabled and the staged release was approved by an npm user.

This creates a false alert: the package did not actually downgrade from trusted publishing to classic token/user publishing, but pnpm treats it as such.

npm issue: community/community#196675 (comment)

Expected Behavior

trustPolicy: no-downgrade should not treat staged publishing approval as a downgrade from trusted publishing.

Which Node.js version are you using?

N/A

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response