PNPM Trust Policy: High-risk trust downgrade for "tailwindcss@3.4.18" (possible package takeover)

[ngrippa-bo]

What version of Tailwind CSS are you using?

v3.4.18

What build tool (or framework if it abstracts the build tool) are you using?

Nuxt

What version of Node.js are you using?

v24.11.1

What browser are you using?

N/A

What operating system are you using?

Windows

Describe your issue

• Do not have a trust policy set in pnpm-workspace.yaml
• pnpm add tailwindcss@3 (installs 3.4.18)
• Enable trustPolicy: no-downgrade
• Run pnpm update tailwindcss

 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "tailwindcss@3.4.18" (possible package takeover)

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

Is this intendet, did you change something in your publishing process or does this indeed indicate a possible package takeover?

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and agent prompts for this issue.

• Create Plan

Examples

• Example 1
• Example 2

🔗 Similar & Duplicate Issues

Related Issues

• tailwindlabs/tailwindcss#18903
• tailwindlabs/tailwindcss#19327
• tailwindlabs/tailwindcss#19352
• tailwindlabs/tailwindcss#18389
• tailwindlabs/tailwindcss#18381
• tailwindlabs/tailwindcss#18366

👤 Suggested Assignees

• browner12
• ajuvonen
• dickyindra
• reidjs
• Tamas-hi

---

🧪 Issue enrichment is currently in early access.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

[thecrypticace]

No, we haven't changed anything about our publishing setup. You can't publish over existing versions in NPM either. I don't know how this error/warning is determined. Maybe because we changed how our 4.x releases work (compared to v3) and there have been 4.x releases before and after the v3.4.18 version (meaning: before/after in date not version number)?

A number of people have complained about the way this check works and the wording of it: pnpm/pnpm#10202

I'll see if I can figure out how to tweak the publishing process for v3.x line this week (need to tag a patch release) to see if I can make this message go away.

[ngrippa-bo]

Thanks for the quick look!

(meaning: before/after in date not version number)?

I am indeed quite sure that this is the reason. pnpm explicitly states they mostly go by date, not semver.

Would be great to have the @3 releases to use the same process as @4, in times of ongoing supply chain attacks, a provenance attestation would be a great thing for version 3 as well.

[karlhorky]

Would be great to have the @3 releases to use the same process as @4, in times of ongoing supply chain attacks, a provenance attestation would be a great thing for version 3 as well.

Yes, it appears that this is one of the implied suggestions of the pnpm team with @zkochan's comment over here (the other suggestion is for users to configure trustPolicyExclude for Tailwind CSS v3):

This works as intended. If someone gets access to an auth token to release the package, what prevents them from releasing any version of it? The only reliable data we can use is to check the date of the publish.

If you want to ignore that, you can use trustPolicyExclude.

and the new message added by @btea in https://github.com/pnpm/pnpm/pull/10203/files:

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

So in this case, Tailwind CSS v4 releases added provenance at some point but then some v3 releases without provenance were published after that point.

@thecrypticace what does the Tailwind CSS team think of adding provenance to new releases in the v3 release line?

Edit: Oh, I see that you mentioned that you'll take a look:

I'll see if I can figure out how to tweak the publishing process for v3.x line this week (need to tag a patch release) to see if I can make this message go away.