Integrity check error for remote tarballs

Question

Integrity check error for remote tarballs

Closed this issue 3 years ago · 1 comments

What / Why

I have an application rest endpoint that generates npm module tgz file upon request. When I add the remote url (http://192.168.65.2:8888/package.tgz) to package.json, npm install fails with integrity mismatch error. If I download the same tgz file and then do npm install package.tgz, everything works fine. I can confirm that pacote returns different sha512 for remote and local tarball!

npx pacote manifest package.tgz
{
  _integrity: 'sha512-kDkAIo0omC3odUie2nW9RLt8zOzr902rSB5zikea+715OI5a+QLuv4sguvI8+k5O0cIvxUX19/d5ypaPm3MRng==',
}

npx pacote manifest http://192.168.65.2:8888/package.tgz
{
  _integrity: 'sha512-1D+DlFn2yuHBT2hV7upaoH4MLLUotASmT0CItavWpUphRT+llBQ3cpjlW/lI9koyFNINbuirC24ofsQruEfRDg==',
}

This only happens with npm 6.x. npm 7.x seems fine.

Do I need to include any headers to the rest response?

pacote version: 9.5.12

Answer 1 · 2021-03-22T22:18:21.000Z

Since so much of pacote was rewritten from the ground up for npm v7, I'm not surprised that there's a bug in there that isn't in pacote 10 and up. I'd love to say we can fix this, but honestly unless it's a serious/security problem affecting a large number of npm v6 users, it's unlikely.

If possible, I recommend upgrading to npm v7 everywhere, and just let this bug lie. Fixing it is probably too costly and too risky.