From a71615abcd2cc2b2c532a81a9ef2247ea8c34084 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@davidglasser.net>
Date: Wed, 23 Apr 2014 22:43:19 -0700
Subject: [PATCH] Check SHA before using files from cache

Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
---
 lib/cache.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/cache.js b/lib/cache.js
index 4c746ec0cec..5c2d07840ea 100644
--- a/lib/cache.js
+++ b/lib/cache.js
@@ -877,6 +877,10 @@ function addNameVersion (name, v, data, cb) {
           if (er && er.code !== "ENOENT" && er.code !== "ENOTDIR")
             return cb(er)
           if (er) return fetchit()
+          // check the SHA of the package we have, to ensure it wasn't installed
+          // from somewhere other than the registry (eg, a fork)
+          if (data._shasum && dist.shasum && data._shasum !== dist.shasum)
+            return fetchit()
           return cb(null, data)
         })
       } else return fetchit()