Fix cache integrity check false-positives across multiple registries

[Blasz]

Summary

Improve cache integrity error messages and fixes the cache integrity check issue described here: #7584 (comment)

I determined it is related to an internal npm registry that we use.

The registry that we use does not return an integrity field and so the cached versions of packages resolved from the registry uses sha1 hashes. When the same package is then resolved from npm instead of our own registry, it has a sha512 integrity field and causes a clash.

I'm still not so sure about erroring out in these scenarios rather than just invalidating the cache for the problem packages since users will manually need to do that after the error was thrown.

Also now that the cacheIntegrity field from cache is being used, I wonder whether the separate -integrity and no-integrity suffixed caches are required anymore?

Test plan

Added tests for the previous cache integrity changes. I saw test cases for sha384 integrity hashes so I wonder if those need to be accounted for, as the same false positive error will occur there as well. If npm ever decides to change their default integrity hash to something other than sha512 this check would also fail.

A better way of handling this could be to compute the remote integrity hash against the cache if it did not match the hash algorithms already stored in cache and then append that value to the cached integrity hash if it matched and throw an error otherwise.

[Blasz]

cc @arcanis

[arcanis]

Hey @Blasz! Thanks for working on it! It looks good to me, especially with the tests you've added ⭐

Also now that the cacheIntegrity field from cache is being used, I wonder whether the separate -integrity and no-integrity suffixed caches are required anymore?

Good question 🤔 Probably not if we always compute both the sha1 and the sha512 regardless of the registry, but I'm not 100% sure there isn't some edge case somewhere in the logic so I prefer to keep it for now.

A better way of handling this could be to compute the remote integrity hash against the cache if it did not match the hash algorithms already stored in cache and then append that value to the cached integrity hash if it matched and throw an error otherwise.

Yeah, but it would make the code even quite spaghetti 🤔

[Daniel15]

This is probably an edge case, but the build server that publishes the Chocolatey package is hitting this error when trying to check out the Yarn Git repo now:

stderr: error: unable to create file __tests__/fixtures/install/install-update-auth-invalid-cache-integrity/.yarn-cache/v6/npm-safe-buffer-5.1.1-893312af69b2123def71f57889001671eeb2c853-integrity/node_modules/safe-buffer/.yarn-metadata.json: Filename too long

It's currently trying to check out the code to C:\Program Files (x86)\Jenkins\workspace\yarn-chocolatey. I can probably move the directory around to avoid this (and will probably move this to GitHub Actions in the future), but I wonder if other people working on Yarn could hit the same issue.