Bug: Trust/Provenance Downgrade in memfs 4.x #1235
Description
Issue
memfs version 4.x has a trust/provenance downgrade. Earlier versions had npm provenance attestation, but recent 4.x versions do not include provenance information.
Affected Versions
- [email protected] (and likely other 4.x versions)
Impact
This causes issues with package managers that enforce trust policies. For example, pnpm with trustPolicy: no-downgrade will flag this as a security concern because the package previously had provenance but newer versions do not.
Context
memfs is widely used and is a dependency of webpack-dev-server (which requires ^4.14.0). Projects using strict trust policies need to explicitly exclude memfs from trust policy checks as a workaround.
Request
Please consider adding npm provenance attestation to memfs releases to maintain trust continuity. This helps projects that use strict security policies to verify package authenticity.
References
- npm provenance documentation: https://docs.npmjs.com/generating-provenance-statements
- pnpm trust policy: https://pnpm.io/settings#trustpolicy