Handle pnpm ERR_PNPM_TRUST_DOWNGRADE by silently skipping untrusted versions

[thavaahariharangit]

What are you trying to accomplish?

Handle pnpm's ERR_PNPM_TRUST_DOWNGRADE error so Dependabot silently skips dependency versions that fail pnpm's supply chain trust checks, instead of recording a failed update.

pnpm v10+ includes a trust policy feature that blocks installation when a newer package version has weaker trust evidence than a previously installed version (e.g., lost provenance attestation). When this occurs during a Dependabot update run, the ERR_PNPM_TRUST_DOWNGRADE error would previously bubble up as a dependency_file_not_resolvable failure.

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

Before this fix:
Ref: https://github.com/thake/pnpm-trustPolicy-demo/actions/runs/21659657181/job/62441720665

After this fix:
End-to-end validation against thake/pnpm-trustPolicy-demo using script/dependabot update -f input.json shows the dependency silently skipped with a clean finish message and no error recorded.

updater | 2026/02/10 16:54:02 ERROR Error running package manager command: corepack pnpm update chokidar@4.0.3  --lockfile-only --no-save -r, Error:  ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)
updater | 
updater | This error happened while installing a direct dependency of /home/dependabot/dependabot-updater/repo
updater | 
updater | Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.
updater | 2026/02/10 16:54:02 WARN  ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)
updater | 
updater | This error happened while installing a direct dependency of /home/dependabot/dependabot-updater/repo
updater | 
updater | Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.
updater | 2026/02/10 16:54:02 INFO Handled error whilst updating chokidar: inconsistent_registry_response pnpm trust downgrade detected for "chokidar@4.0.3". A previously published version had provenance attestation, but the target version does not.
  proxy | 2026/02/10 16:54:02 [026] POST http://host.docker.internal:35239/update_jobs/cli/record_ecosystem_meta
{"data":[{"ecosystem":{"name":"npm_and_yarn","package_manager":{"name":"pnpm","version":"10.28.2","raw_version":"10.28.2"},"language":{"name":"node","version":"24.13.0","raw_version":"24.13.0"}}}],"type":"record_ecosystem_meta"}
  proxy | 2026/02/10 16:54:02 [026] 200 http://host.docker.internal:35239/update_jobs/cli/record_ecosystem_meta
  proxy | 2026/02/10 16:54:02 [027] PATCH http://host.docker.internal:35239/update_jobs/cli/mark_as_processed
{"data":{"base-commit-sha":"253cd6d6cec88644870545d2016f45ea4ee6f739"},"type":"mark_as_processed"}
  proxy | 2026/02/10 16:54:02 [027] 200 http://host.docker.internal:35239/update_jobs/cli/mark_as_processed
updater | 2026/02/10 16:54:02 INFO Finished job processing
  proxy | 2026/02/10 16:54:03 Skipping sending metrics because api endpoint is empty
  proxy | 2026/02/10 16:54:03 2/11 calls cached (18%)

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[yeikel]

Any chance you can create an Integration test for this to prove the fix end to end and prevent future regressions?

I fear that these mocked scenarios may be very easy to regress in the future without proper E2E backing

[thavaahariharangit]

Any chance you can create an Integration test for this to prove the fix end to end and prevent future regressions?

I fear that these mocked scenarios may be very easy to regress in the future without proper E2E backing

Thanks @yeikel E2E validation is handled in a different repository, but I’ll make sure the corresponding tests are updated there to cover this fix.

[kbukum1]

LGTM