nativescript-cli icon indicating copy to clipboard operation
nativescript-cli copied to clipboard

Published 20 hours ago verified publisher icon NativeScript

EINTEGRITY error when running npm install

Open pfumagalli opened this issue 3 years ago • 2 comments

Environment Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):

  • CLI: 7.1.2

Describe the bug

I have set nativescript as a dev dependency to my project (makes our life easier), but when doing an npm clean-install (thus loading the exact versions in package-lock.json) I get an integrity error.

npm ERR! code EINTEGRITY
npm ERR! sha512-bf7UQUo6n0c3Fxn5OXckpausCWjFg+qGLzN/LnaMsjF+9HYuSMbPPciWI6zPLu+KLnwjqwKzwPkozi/vxJYpvw==
  integrity checksum failed when using sha512:
    wanted  sha512-bf7UQUo6n0c3Fxn5OXckpausCWjFg+qGLzN/LnaMsjF+9HYuSMbPPciWI6zPLu+KLnwjqwKzwPkozi/vxJYpvw==
    but got sha512-h/TzJrgwzVV+W6laITBZAxAWfBjX4T0x+LF5XJdS1AzDkXqmraMNnKQ/O/f3AHJKVR85fOglUEdS/B0P1wS7Aw==. (5724 bytes)

Now, I noticed that nativescript depends specifically on cli-table packaged up as a nice tarball in https://github.com/telerik/cli-table/tarball/v0.3.1.2, (inside, the package.json declares version 0.3.1) but also the NPM registry provides the same 0.3.1 version itself.

The Telerik version has a checksum of bf7UQUo6n0c3Fxn5OXckpausCWjFg+qGLzN/LnaMsjF+9HYuSMbPPciWI6zPLu+KLnwjqwKzwPkozi/vxJYpvw== (what's stored in package-lock.json) and the NPM registry has a checksum of h/TzJrgwzVV+W6laITBZAxAWfBjX4T0x+LF5XJdS1AzDkXqmraMNnKQ/O/f3AHJKVR85fOglUEdS/B0P1wS7Aw== (the offending one, as in the error above).

I see that the dependency is inherited from marked-terminal (another non-NPM-repo dependency from https://github.com/NativeScript/marked-terminal/tarball/v3.1.1n) and as far as I can see those were declared A LONG time ago... Maybe it's time to get those deps up-to-date?

Workaround

For people stumbling around and finding the issue as well, this seems to be tricking NPM in resolving stuff correctly:

npm install --save-dev 'https://github.com/telerik/cli-table/tarball/v0.3.1.2'
npm install --save-dev 'https://github.com/NativeScript/marked-terminal/tarball/v3.1.1n'
rm -rf node_modules package-lock.json
npm install

(Basically, add the overridden dependencies from NativeScript to your own project)

pfumagalli avatar Jan 13 '21 17:01 pfumagalli

Thanks for the workaround! Works well.

bwobbones avatar Apr 12 '21 23:04 bwobbones

Thanks for the work-around! This bug showed up for me when installing from a package-lock.json using npm ci.

mpcref avatar Feb 15 '22 19:02 mpcref