zys-contrib · pull · Nov 22, 2025 · Nov 22, 2025 · Nov 22, 2025
diff --git a/.changeset/public-feet-hide.md b/.changeset/public-feet-hide.md
@@ -0,0 +1,5 @@
+---
+"@pnpm/npm-resolver": patch
+---
+
+Improve the error messages related to `trustPolicy` mismatch.
diff --git a/pkg-manifest/read-package-json/README.md b/pkg-manifest/read-package-json/README.md
@@ -15,7 +15,7 @@ pnpm add @pnpm/read-package-json
 ## Usage
 
 ```ts
-import readPackageJson from '@pnpm/read-package-json'
+import { readPackageJson } from '@pnpm/read-package-json'
 
 const pkgJson = await readPackageJson('package.json')
 ```

diff --git a/resolving/npm-resolver/src/trustChecks.ts b/resolving/npm-resolver/src/trustChecks.ts
@@ -52,7 +52,9 @@ export function failIfTrustDowngraded (
       'TRUST_DOWNGRADE',
       `High-risk trust downgrade for "${meta.name}@${version}" (possible package takeover)`,
       {
-        hint: `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
+        hint: 'Trust checks are based solely on publish date, not semver. ' +
+          'A package cannot be installed if any earlier-published version had stronger trust evidence. ' +
+          `Earlier versions had ${prettyPrintTrustEvidence(strongestEvidencePriorToRequestedVersion)}, ` +
           `but this version has ${prettyPrintTrustEvidence(currentTrustEvidence)}. ` +
           'A trust downgrade may indicate a supply chain incident.',
       }