What factors into _shasum?

[bmcallis]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

I have to publish a module to two different private repositories. We're trying to switch to npm5 but get integrity issues when pointing to the repository that wasn't used when generating the package-lock file. The registries show different _shasum values for the same module. The difference between the two is the _npmUser object and timestamps of releases. Is that enough to make the shasum values different?

How can the CLI team reproduce the problem?

I think that publishing the same module to different registries with a different username for each causes the issue, but I'm not sure if that's actually what's going on.

supporting information:

• npm -v prints: 5.3.0
• node -v prints: v6.10.2
• npm config get registry prints: private registry
• Windows, OS X/macOS, or Linux?: macOS
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).

[legodude17]

AFAIK the publish time will factor into the shasum.