node-argon2

node-argon2 copied to clipboard

When I run npm install on the current master branch after a fresh clone (commit e5b258e6acbb327e84c7e89e180470b0e32bea87), the install fails with this error message:

$ npm install
npm ERR! code EINTEGRITY
npm ERR! Integrity checksum failed when using sha1: wanted sha1-+hN8S9aY7fVc1c0CrFWfkaTEups=sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg== but got sha1-+hN8S9aY7fVc1c0CrFWfkaTEups=.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/danilo/.npm/_logs/2021-11-30T14_25_23_289Z-debug.log

If I remove the yarn.lock file, it works. Note that I'm not using yarn, it's not even installed.

Is it possible that npm tries to read the yarn lockfile, and that some hash calculation differs?

Steps to reproduce

1. Clone repo
2. Run npm install

More information

According to git bisect this behavior started with commit 191b71f1189d59f8e4a9b5797b16ab4b1a4468aa. I noticed that in that commit, the integrity key now includes both a SHA512 sum and a SHA1 sum. Is this valid for yarn? It probably confuses npm. (Also, why add a SHA1 sum if there's a much better SHA512 sum in there already?)

Environment

Operating system: Arch Linux

Node version: nodejs 16.8.0 / npm 7.21.0

Is it still happening? The hashes are updated by yarn itself, and npm does not use yarn.lock, so these shouldn't interfere.

why add a SHA1 sum if there's a much better SHA512 sum in there already?

You'd have to ask people from yarn :laughing:

Yarn now changed everything to SHA512 again, and I guess this won't happen anymore.