gitpkg icon indicating copy to clipboard operation
gitpkg copied to clipboard

Published 20 hours ago verified publisher icon EqualMa

Corrupted SHA checksum integrity

Open Thebarda opened this issue 2 years ago • 3 comments

Hello there,

I receive the following when running the command npm ci:

npm ERR! code EINTEGRITY
npm ERR! sha512-/u1Tm9NF/44PqJ6/ShazfPQBfbUW2oYSsN+mHhafRI2w7qRixN4iOZ8eTv9EsxxDWD2K0Lm0z8KwE43PuYTfIw== integrity checksum failed when using sha512: wanted sha512-/u1Tm9NF/44PqJ6/ShazfPQBfbUW2oYSsN+mHhafRI2w7qRixN4iOZ8eTv9EsxxDWD2K0Lm0z8KwE43PuYTfIw== but got sha512-4Ao8AU+x9cruj2ApLDU6GWcN3L4L78ZEXwkgAofNqE9iiDAZ2J1o5M1kPyw7z8sw5pqbWaGSHKDAdLlNI72vww==. (3292993 bytes)

The dependency was not updated between the initial install and the npm ci.

I think, it might be better to store the commit id rather than a checksum that might differ even though a library is not updated

Thebarda avatar Oct 27 '22 17:10 Thebarda

Hi. This is npm behavior. GitPkg serves that tgz file, npm calculates a shasum for it.

The shasum might change for various reasons:

  • The code in that repo changed.
  • When GitPkg updates, the shasum of the gzipped-tar might change even though the unzipped contents don't change. This might be related to gzip algorithm parameters are changed implicitly. I am looking into this issue.

EqualMa avatar Jan 23 '24 05:01 EqualMa

Has anyone found a workaround for this? I had my CI pipelines break randomly this morning for packages using gitpkg.

SimplyCorey avatar Feb 09 '24 13:02 SimplyCorey