Skip to content

@react-router/dev requires trustPolicyExclude in pnpm #14991

Open
Open
@react-router/dev requires trustPolicyExclude in pnpm#14991
Labels
bugdependenciesPull requests that update a dependency filev8
@MonstraG

Description

@MonstraG
MonstraG
opened on Apr 20, 2026

Reproduction

pnpm 9 || 10 doesn't work on stackblitz, so no repro there.

  1. create package.json:
{
	"name": "my-new-package",
	"packageManager": "pnpm@10.33.0",
	"devDependencies": {
		"@react-router/dev": "7.14.1"
	}
}
  1. create pnpm-workspace.yaml:
trustPolicy: no-downgrade
  1. run pnpm i

System Info

Binaries:
    Node: 25.9.0 - /usr/bin/node
    pnpm: 10.33.0 - /usr/bin/pnpm
  npmPackages:
    @react-router/dev: 7.14.1 => 7.14.1

Used Package Manager

pnpm

Expected Behavior

pnpm i succeeds with trustPolicy: no-downgrade without trustPolicyExclude

Actual Behavior

pnpm i fails due to:

 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "chokidar@4.0.3" (possible package takeover)

This error happened while installing the dependencies of @react-router/dev@7.14.1

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

that can be resolved by adding

trustPolicyExclude:
    - 'chokidar@4.0.3' # https://github.com/paulmillr/chokidar/issues/1440#issuecomment-3577534152

After that, it fails with

High-risk trust downgrade for "semver@6.3.1" (possible package takeover)

This error happened while installing the dependencies of @react-router/dev@7.14.1
 at @babel/core@7.29.0

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

which can be resolved by

trustPolicyExclude:
    - 'chokidar@4.0.3' # https://github.com/paulmillr/chokidar/issues/1440#issuecomment-3577534152
    - 'semver@6.3.1' # https://github.com/npm/node-semver/issues/838#issuecomment-3698312268

Now it finally succeeds.

pls update chokidar so I don't have to do overrides every time.

semver, I think, is not really solvable because @babel/core didn't release a version with semver v7 yet.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugdependenciesPull requests that update a dependency filev8

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions