Integrity check error for remote tarballs
Closed this issue · 1 comments
What / Why
I have an application rest endpoint that generates npm module tgz file upon request. When I add the remote url (http://192.168.65.2:8888/package.tgz
) to package.json
, npm install
fails with integrity mismatch error. If I download the same tgz file and then do npm install package.tgz
, everything works fine. I can confirm that pacote
returns different sha512 for remote and local tarball!
npx pacote manifest package.tgz
{
_integrity: 'sha512-kDkAIo0omC3odUie2nW9RLt8zOzr902rSB5zikea+715OI5a+QLuv4sguvI8+k5O0cIvxUX19/d5ypaPm3MRng==',
}
npx pacote manifest http://192.168.65.2:8888/package.tgz
{
_integrity: 'sha512-1D+DlFn2yuHBT2hV7upaoH4MLLUotASmT0CItavWpUphRT+llBQ3cpjlW/lI9koyFNINbuirC24ofsQruEfRDg==',
}
This only happens with npm 6.x. npm 7.x seems fine.
Do I need to include any headers to the rest response?
pacote version: 9.5.12
Since so much of pacote was rewritten from the ground up for npm v7, I'm not surprised that there's a bug in there that isn't in pacote 10 and up. I'd love to say we can fix this, but honestly unless it's a serious/security problem affecting a large number of npm v6 users, it's unlikely.
If possible, I recommend upgrading to npm v7 everywhere, and just let this bug lie. Fixing it is probably too costly and too risky.