-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
registry: verify integrity when loading manifest
I ran into a weird issue where an options object was being reused improperly between pacote.manifest() calls, leading to the tree builder believing that it was safe to replace basically any node in the tree with any new node it fetched. While this is clearly a bug downstream, it would've been easier to catch if pacote could flag this as a problem. As of this change, if the provided integrity does not share any algorithms in common with the integrity in the dist field (either dist.integrity or dist.shasum) then it's concatenated onto the provided integrity. If it DOES share any algorithms in common, but the hashes don't match, then an EINTEGRITY error is raised. This also lets us more easily upgrade to newer integrity algos in the future, and clients will transparently update their metadata when this happens.
- Loading branch information
Showing
2 changed files
with
64 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters