[BUG] Inconsistent SHA-1 and SHA-512 integrity values in registry response #2401
Description
When running npm install we've observed that sometimes the integrity value for a dependency in package-lock.json (and the _integrity value in the dependency's package.json in node_modules) can change for seemingly no reason: sometimes it starts with sha1- and sometimes it starts with sha512-.
By trying npm install several times while removing node_modules and running npm cache clean --force between each run (and possibly something else), I've managed to capture two requests in ~/.npm/_cacache which exhibit this behaviour:
SHA-512:
Details
db/c0/37002f9ad0a4679e0f0266ec01808bed69f7750a20466b5f0e5c5d4f484a:d247acba954e5cb9677b6aaff7ddc3390c216575
{
"key": "make-fetch-happen:request-cache:https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
"integrity": "sha512-XqYMR2dfdGMW+hd0IUZ2PwK+fGeFkOxZJ0wY+JaQAHzt1Zx8LcvpiZD2NiGkEG8qx0CfkAOr5xt76d1e8vG90g==",
"time": 1608640925191,
"size": 2928,
"metadata": {
"url": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
"reqHeaders": {
"connection": [
"keep-alive"
],
"user-agent": [
"npm/6.14.9 node/v14.15.3 darwin x64"
],
"npm-in-ci": [
"false"
],
"npm-scope": [
""
],
"npm-session": [
"e22b38ffdf132baa"
],
"referer": [
"install"
],
"pacote-req-type": [
"tarball"
],
"pacote-pkg-id": [
"registry:babel-code-frame@https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz"
]
},
"resHeaders": {
"date": [
"Tue, 22 Dec 2020 12:42:05 GMT"
],
"content-type": [
"application/octet-stream"
],
"content-length": [
"2928"
],
"connection": [
"keep-alive"
],
"set-cookie": [
"__cfduid=dba1ba0d5679d97e7751862658a8b2bdc1608640925; expires=Thu, 21-Jan-21 12:42:05 GMT; path=/; domain=.npmjs.org; HttpOnly; SameSite=Lax"
],
"cf-ray": [
"6059ebb65c772d07-LHR"
],
"accept-ranges": [
"bytes"
],
"age": [
"3756173"
],
"cache-control": [
"public, immutable, max-age=31557600"
],
"etag": [
"\"fdca204ce9b0158bcc65745baa896e4c\""
],
"last-modified": [
"Sat, 26 May 2018 17:54:46 GMT"
],
"vary": [
"Accept-Encoding"
],
"cf-cache-status": [
"HIT"
],
"cf-request-id": [
"072c11a5f800002d075825f000000001"
],
"expect-ct": [
"max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""
],
"server": [
"cloudflare"
],
"x-fetch-attempts": [
"1"
]
}
}
}SHA-1:
Details
db/c0/37002f9ad0a4679e0f0266ec01808bed69f7750a20466b5f0e5c5d4f484a:f84ae26bb03fa2c70ff409926ad12c559b9faa28
{
"key": "make-fetch-happen:request-cache:https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
"integrity": "sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=",
"time": 1608641172290,
"size": 2928,
"metadata": {
"url": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz",
"reqHeaders": {
"connection": [
"keep-alive"
],
"user-agent": [
"npm/6.14.9 node/v14.15.3 darwin x64"
],
"npm-in-ci": [
"false"
],
"npm-scope": [
""
],
"npm-session": [
"bb3ee71178300e0b"
],
"referer": [
"install"
],
"pacote-req-type": [
"tarball"
],
"pacote-pkg-id": [
"registry:babel-code-frame@https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.26.0.tgz"
]
},
"resHeaders": {
"date": [
"Tue, 22 Dec 2020 12:46:12 GMT"
],
"content-type": [
"application/octet-stream"
],
"content-length": [
"2928"
],
"connection": [
"keep-alive"
],
"set-cookie": [
"__cfduid=dbf197e7846a9f430cd318935e4dc78031608641172; expires=Thu, 21-Jan-21 12:46:12 GMT; path=/; domain=.npmjs.org; HttpOnly; SameSite=Lax"
],
"cf-ray": [
"6059f1bdeb45ce23-LHR"
],
"accept-ranges": [
"bytes"
],
"age": [
"3756420"
],
"cache-control": [
"public, immutable, max-age=31557600"
],
"etag": [
"\"fdca204ce9b0158bcc65745baa896e4c\""
],
"last-modified": [
"Sat, 26 May 2018 17:54:46 GMT"
],
"vary": [
"Accept-Encoding"
],
"cf-cache-status": [
"HIT"
],
"cf-request-id": [
"072c156aad0000ce2324b40000000001"
],
"expect-ct": [
"max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""
],
"server": [
"cloudflare"
],
"x-fetch-attempts": [
"1"
]
}
}
}The diff between these two responses is minimal, so I'm not sure why the registry might be returning a different integrity value each time:
❯ diff sha1.json sha512.json
1c1
< db/c0/37002f9ad0a4679e0f0266ec01808bed69f7750a20466b5f0e5c5d4f484a:f84ae26bb03fa2c70ff409926ad12c559b9faa28 {
---
> db/c0/37002f9ad0a4679e0f0266ec01808bed69f7750a20466b5f0e5c5d4f484a:d247acba954e5cb9677b6aaff7ddc3390c216575 {
3,4c3,4
< "integrity": "sha1-Y/1D99weO7fONZR9uP42mj9Yx0s=",
< "time": 1608641172290,
---
> "integrity": "sha512-XqYMR2dfdGMW+hd0IUZ2PwK+fGeFkOxZJ0wY+JaQAHzt1Zx8LcvpiZD2NiGkEG8qx0CfkAOr5xt76d1e8vG90g==",
> "time": 1608640925191,
22c22
< "bb3ee71178300e0b"
---
> "e22b38ffdf132baa"
36c36
< "Tue, 22 Dec 2020 12:46:12 GMT"
---
> "Tue, 22 Dec 2020 12:42:05 GMT"
48c48
< "__cfduid=dbf197e7846a9f430cd318935e4dc78031608641172; expires=Thu, 21-Jan-21 12:46:12 GMT; path=/; domain=.npmjs.org; HttpOnly; SameSite=Lax"
---
> "__cfduid=dba1ba0d5679d97e7751862658a8b2bdc1608640925; expires=Thu, 21-Jan-21 12:42:05 GMT; path=/; domain=.npmjs.org; HttpOnly; SameSite=Lax"
51c51
< "6059f1bdeb45ce23-LHR"
---
> "6059ebb65c772d07-LHR"
57c57
< "3756420"
---
> "3756173"
75c75
< "072c156aad0000ce2324b40000000001"
---
> "072c11a5f800002d075825f000000001"