Skip to content

Upstream trust docs#369

Open
ertzL wants to merge 10 commits intomainfrom
upstream-trust-docs
Open

Upstream trust docs#369
ertzL wants to merge 10 commits intomainfrom
upstream-trust-docs

Conversation

@ertzL
Copy link
Contributor

@ertzL ertzL commented Mar 15, 2026

Adding content around upstream trust

Copilot AI review requested due to automatic review settings March 15, 2026 18:03
@vercel
Copy link

vercel bot commented Mar 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cloudsmith-docs Ready Ready Preview, Comment Mar 16, 2026 11:46am

Request Review

@ertzL ertzL assigned mrtam and AliSF Mar 15, 2026
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new documentation describing Cloudsmith’s “Upstream Trust” supply chain security feature, including how trust affects dependency resolution and how to configure trust status on upstreams.

Changes:

  • Introduces a new “Upstream Trust” documentation page explaining trust evaluation and key behaviors (including cached/proxied package nuances).
  • Adds multiple example scenarios showing how trusted/untrusted sources affect resolved versions.
  • Documents configuration steps and clarifies package identity matching rules (scopes/qualifiers).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ertzL and others added 8 commits March 16, 2026 11:34
@ertzL
Remove the trailing space inside the Note headline attribute
831d278 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ertzL
spelling mistake fix
eba8b97 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ertzL
Update menu.json
2dd9d18
@ertzL
Update menu.json
d28818d
@ertzL
Update upstream-trust.mdx
1902618
@ertzL
Potential fix for pull request finding
899ce3a 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ertzL
Potential fix for pull request finding
92cc38f 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ertzL
Potential fix for pull request finding
950dc88 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
AliSF
AliSF reviewed Mar 16, 2026
View reviewed changes
src/content/supply-chain-security/upstream-trust.mdx
import { Note } from '@/components'

# Upstream Trust
Upstream trust is a supply chain security feature that protects your repositories from dependency confusion and namesquatting attacks. By designating upstream sources as trusted or untrusted, you control which sources are permitted to serve versions of packages that exist in your private repository or other trusted sources.
Copy link
Collaborator

@AliSF AliSF Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way this reads right now, it implies Upstream Trust protects from both dependency confusion and namesquatting, but I believe it's just namesquatting, a subset of dependency confusion. Suggestion to edit to:
Upstream trust is a supply chain security feature that prevents namesquatting attacks where bad actors hijack your internal package name in public repositories.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AliSF AliSF AliSF left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mrtam mrtam

@AliSF AliSF

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ertzL @AliSF @mrtam