Part of #11973.
Problem
registry/crates/pnpm-registry/src/publish.rs accepts incoming tarballs without verifying that their bytes hash to the integrity value the client claims in the packument. A search across that file for integrity, shasum, or hash turns up only a comment about time.modified formatting — no hashing of the payload itself.
That means:
- A buggy or partial-upload client can land a tarball on disk whose content hash does not match
dist.integrity / dist.shasum in the packument.
- Downstream
pnpm install will later fail with EINTEGRITY when fetching it — but by then the bad publish is already replicated to other clients/caches.
- A malicious client can deliberately decouple the advertised hash from the actual bytes, depending on whether downstream consumers verify (most do; not all do under every flag combination).
This is a silent-corruption class bug. Cost grows linearly with publishes accumulated before it's fixed.
Scope
Bonus (same PR, cheap once we're hashing)
Acceptance
- Integration test: publish a tarball whose declared
dist.integrity doesn't match the bytes → 400 EINTEGRITY, no on-disk artifact written.
- Integration test: publish without
dist.integrity in the packument → 400 with a clear "integrity required" message.
- Integration test: well-formed publish still succeeds;
pnpm install against the resulting registry verifies the tarball end-to-end.
Related
Written by an agent (Claude Code, claude-opus-4-7).
Part of #11973.
Problem
registry/crates/pnpm-registry/src/publish.rsaccepts incoming tarballs without verifying that their bytes hash to the integrity value the client claims in the packument. A search across that file forintegrity,shasum, orhashturns up only a comment abouttime.modifiedformatting — no hashing of the payload itself.That means:
dist.integrity/dist.shasumin the packument.pnpm installwill later fail withEINTEGRITYwhen fetching it — but by then the bad publish is already replicated to other clients/caches.This is a silent-corruption class bug. Cost grows linearly with publishes accumulated before it's fixed.
Scope
dist.integrity, SHA-1 for legacydist.shasum).packageJson.versions[v].dist.integrityand.shasum).EINTEGRITY(match what clients already understand).dist.integrityfield is missing entirely (today npm always sends it; mirror the tarball-shaped-lockfile change from f03dc2d in spirit).Bonus (same PR, cheap once we're hashing)
Content-Lengthmatches the byte count we actually read.Acceptance
dist.integritydoesn't match the bytes → 400EINTEGRITY, no on-disk artifact written.dist.integrityin the packument → 400 with a clear "integrity required" message.pnpm installagainst the resulting registry verifies the tarball end-to-end.Related
Written by an agent (Claude Code, claude-opus-4-7).