npm EINTEGRITY error message

[hippiman0]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's the feature?

Error messages for EINTEGRITY should reference the package/files the sha is for.

What problem is the feature intended to solve?

Error messages for EINTEGRITY don't show which package they are from.
#19951
Command line result:

npm ERR! sha512-UTfD64o5Ka/E6QHL12fzcq5wnt9MCtuwgoUdYSTDxjjDkhNmZwSfPlJH/+Yh8vE6nU/0ax3MXNrc9AP4haAmIg== integrity checksum failed when using sha512: wanted sha512-UTfD64o5Ka/E6QHL12fzcq5wnt9MCtuwgoUdYSTDxjjDkhNmZwSfPlJH/+Yh8vE6nU/0ax3MXNrc9AP4haAmIg== but got sha512-YeoTb2HeC1c4zeWbkV/pnLWE4P3w7t8adQSqYl7WME6UnuhfvK5qjxMjP1bQENP/o8hvcUyrvMsE3k8iomRYiQ==. (3226 bytes)
npm WARN tar invalid entry
npm WARN tar invalid entry
npm WARN tar invalid entry
npm WARN tar invalid entry
npm WARN tar invalid entry
npm WARN tar invalid entry

Result from the logs:

1827 verbose stack Error: sha512-UTfD64o5Ka/E6QHL12fzcq5wnt9MCtuwgoUdYSTDxjjDkhNmZwSfPlJH/+Yh8vE6nU/0ax3MXNrc9AP4haAmIg== integrity checksum failed when using sha512: wanted sha512-UTfD64o5Ka/E6QHL12fzcq5wnt9MCtuwgoUdYSTDxjjDkhNmZwSfPlJH/+Yh8vE6nU/0ax3MXNrc9AP4haAmIg== but got sha512-YeoTb2HeC1c4zeWbkV/pnLWE4P3w7t8adQSqYl7WME6UnuhfvK5qjxMjP1bQENP/o8hvcUyrvMsE3k8iomRYiQ==. (3226 bytes)
1827 verbose stack     at Transform.on (C:\Users\a158000\AppData\Roaming\nvm\v8.10.0\node_modules\npm\node_modules\ssri\index.js:275:19)
1827 verbose stack     at emitNone (events.js:111:20)
1827 verbose stack     at Transform.emit (events.js:208:7)
1827 verbose stack     at endReadableNT (_stream_readable.js:1064:12)
1827 verbose stack     at _combinedTickCallback (internal/process/next_tick.js:138:11)
1827 verbose stack     at process._tickCallback (internal/process/next_tick.js:180:9)

I was able to search the wanted sha to find the package, but it wasn't immediately obvious to try that.

1678 silly pacote trying xlsx@https://registry.npmjs.org/xlsx/-/xlsx-0.11.19.tgz by hash: sha512-UTfD64o5Ka/E6QHL12fzcq5wnt9MCtuwgoUdYSTDxjjDkhNmZwSfPlJH/+Yh8vE6nU/0ax3MXNrc9AP4haAmIg==

Is the absence of this feature blocking you or your team? If so, how?

No

Is this feature similar to an existing feature in another tool?

N/A

Is this a feature you're prepared to implement, with support from the npm CLI team?

I can try, but I'd probably cause more issues :)

[AndreKR]

On top of that it should also give the information where the "wanted" checksum comes from. I'm installing the affected package from a tarball, so there is no registry to supply checksums, but I'm constantly getting EINTEGRITY errors. I tried deleting %AppData%/npm-cache and package-lock.json but to no avail.

[hippiman0]

@AndreKR
Not sure if this applies in your case, but the way I found out that xlsx was the issue was by opening the log file it mentioned at the end, then searching the wanted sha. That's how I got the 1678 silly pacote trying xlsx@https... line.

Then I just removed the caret (^) from the version of xlsx in my package.json, renamed my package-lock.json, deleted node_modules, and reran npm install.

At first I thought it was another package which was giving a warning, but it was completely unrelated to the sha EINTEGRITY error.

[AndreKR]

In my case the problem was that npm downloaded the tarball twice and expected to get an identical file both times, and for some reason tar creates a different file every time you pack the same source files. (Probably it adds a packed-timestamp or something like that, I didn't look into it.)