Provenance has gone

[tats-u]

$ pnpm up @rspress/core
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "react-render-to-markdown@19.0.1" (possible package takeover)

This error happened while installing the dependencies of @rspress/core@2.0.5

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had trusted publisher, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

https://pnpm.io/supply-chain-security#enforce-trust-with-trustpolicy

The loss of provenance reminds users of the Rspack 1.1.7 incident, so the package should be republished with one re-added.

Note: you need to make sure to publish every version of a package via GitHub Actions always once it get a provenance.