bug: `ERR_PNPM_TRUST_DOWNGRADE` caused by `chokidar@4.0.3` warning when installing with new `pnpm@10.24.0`

[nekomeowww]

Environment

npx envinfo --system --binaries
npm warn Unknown user config "unsafe-perm". This will stop working in the next major version of npm.

  System:
    OS: macOS 15.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 177.06 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.11.0 - /Users/neko/.volta/tools/image/node/24.11.0/bin/node
    Yarn: 1.22.19 - /Users/neko/.volta/tools/image/yarn/1.22.19/bin/yarn
    npm: 11.6.1 - /Users/neko/.volta/tools/image/node/24.11.0/bin/npm
    pnpm: 10.24.0 - /Users/neko/.volta/bin/pnpm
    bun: 1.2.22 - /opt/homebrew/bin/bun
    Deno: 2.4.5 - /opt/homebrew/bin/deno
    Watchman: 2025.11.10.00 - /opt/homebrew/bin/watchman

Reproduction

I think I cannot create pnpm with pnpm@10.24.0 in StackBlitz (now bolt.new). But pnpm@10.24.0 is all you need.

{
  "name": "test",
  "type": "module",
  "packageManager": "pnpm@10.24.0",
  "dependencies": {
    "c12": "catalog:"
  }
}

trustPolicy: no-downgrade
shellEmulator: true
cleanupUnusedCatalogs: true
catalogMode: prefer
catalog:
  c12: ^3.3.2

Describe the bug

We should migrate to use the newest version of chokidar@5.0.0.

Workaround:

trustPolicy: no-downgrade
trustPolicyExclude:
  - chokidar@4.0.3

pnpm/pnpm#10202

Additional context

https://github.com/pnpm/pnpm/releases/tag/v10.24.0

Logs

ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)

This error happened while installing the dependencies of bumpp@10.3.2
 at c12@3.3.2

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

[karlhorky]

As per pnpm issue #10202, including Zoltan's comment over here, the feature is intended to work this way (once any version of a package has provenance, then all other versions which have been published afterwards - even if they are a different major version - will fail the trustPolicy check):

Describe the Bug

When set to no-downgrade, pnpm will fail if a package's trust level has decreased compared to previous releases.

semver@6 was never released with provenance. So it isn't a downgrade.

semver@7 with provenance was released before and after @6.3.1 which seems to be causing the issue.

Expected Behavior

no-downgrade should check the same major version

This works as intended. If someone gets access to an auth token to release the package, what prevents them from releasing any version of it? The only reliable data we can use is to check the date of the publish.

If you want to ignore that, you can use trustPolicyExclude.

So probably this should be reported to chokidar, since provenance was not present with versions 4.0.2 and 4.0.3:

[karlhorky]

Oh it appears it has already been reported to chokidar, and the recommended solution is to upgrade to 5.0.0:

• Provenance is missing in 4.0.2 & 4.0.3 paulmillr/chokidar#1440 (comment)