fix: default to no trust (#24)

Author: 43081j

main.js

@@ -24159,7 +24159,7 @@ function getBaseRef() {
 var core2 = __toESM(require_core(), 1);
 function getProvenance(meta) {
   if (meta._npmUser?.trustedPublisher) {
-    return "trusted";
+    return "trusted-with-provenance";
   }
   if (meta.dist?.attestations?.provenance) {
     return "provenance";
@@ -24168,7 +24168,7 @@ function getProvenance(meta) {
 }
 function getTrustLevel(status) {
   switch (status) {
-    case "trusted":
+    case "trusted-with-provenance":
       return 2;
     case "provenance":
       return 1;
@@ -24189,14 +24189,16 @@ async function getProvenanceForPackageVersions(packageName, versions) {
   return result;
 }
 function getMinTrustLevel(statuses) {
-  const result = { level: 2, status: "trusted" };
+  let result = null;
   for (const status of statuses) {
     const level = getTrustLevel(status);
-    if (level < result.level) {
-      result.level = level;
-      result.status = status;
+    if (result === null || level < result.level) {
+      result = { level, status };
     }
   }
+  if (!result) {
+    return { level: 0, status: "none" };
+  }
   return result;
 }
 var metaCache = /* @__PURE__ */ new Map();
@@ -24536,7 +24538,7 @@ ${packageRows}`
       if (!baseVersionSet || baseVersionSet.size === 0) {
         continue;
       }
-      if (baseVersionSet.isSubsetOf(currentVersionSet)) {
+      if (currentVersionSet.isSubsetOf(baseVersionSet)) {
         continue;
       }
       try {

src/main.ts

@@ -212,7 +212,7 @@ ${packageRows}`
         continue;
       }
 
-      if (baseVersionSet.isSubsetOf(currentVersionSet)) {
+      if (currentVersionSet.isSubsetOf(baseVersionSet)) {
         continue;
       }
 

src/npm.ts

@@ -22,11 +22,14 @@ export interface PackageIndex {
   versions: Record<string, PackageMetadata>;
 }
 
-export type ProvenanceStatus = 'trusted' | 'provenance' | 'none';
+export type ProvenanceStatus =
+  | 'trusted-with-provenance'
+  | 'provenance'
+  | 'none';
 
 export function getProvenance(meta: PackageMetadata): ProvenanceStatus {
   if (meta._npmUser?.trustedPublisher) {
-    return 'trusted';
+    return 'trusted-with-provenance';
   }
   if (meta.dist?.attestations?.provenance) {
     return 'provenance';
@@ -36,7 +39,7 @@ export function getProvenance(meta: PackageMetadata): ProvenanceStatus {
 
 export function getTrustLevel(status: ProvenanceStatus): number {
   switch (status) {
-    case 'trusted':
+    case 'trusted-with-provenance':
       return 2;
     case 'provenance':
       return 1;
@@ -69,14 +72,16 @@ export interface MinTrustLevelResult {
 export function getMinTrustLevel(
   statuses: Iterable<ProvenanceStatus>
 ): MinTrustLevelResult {
-  const result: MinTrustLevelResult = {level: 2, status: 'trusted'};
+  let result: MinTrustLevelResult | null = null;
   for (const status of statuses) {
     const level = getTrustLevel(status);
-    if (level < result.level) {
-      result.level = level;
-      result.status = status;
+    if (result === null || level < result.level) {
+      result = {level, status};
     }
   }
+  if (!result) {
+    return {level: 0, status: 'none'};
+  }
   return result;
 }