Why did package-lock.json change the integrity hash from sha1 to sha512?
NpmNpm InstallPackage lock.jsonNpm Problem Overview
I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is happening here?
"chalk": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/chalk/-/chalk-2.0.1.tgz",
- "integrity": "sha1-ce5R+nvkyuwaY4OffmgtgTLTDK8=",
+ "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==",
[…]
}
Npm Solutions
Solution 1 - Npm
From what I can see, npm changed the integrity checksum from sha1 to sha512.
If your git changes are going from sha1 to sha512, you should do that update once and it will be good after that.
If someone else working with the codebase and sees a git change from sha512 down to sha1 (which is the issue I was having) you can fix it by running the following:
Discard the changes in git for package-lock.json
npm i -g npm
rm -rf node_modules/
npm i
This will update npm and reinstall all of your packages so that the new checksum (sha512) is present.
Solution 2 - Npm
Building on what Dave answered. The fix i found was to do the following:
npm i -g npm
cd {working directory}
rm -rf node_modules/
rm package-lock.json
npm cache clear --force
npm i
We did this for all our developers at the same time and this stopped the sha-512 vs sha-1 issue which was causing frustrating merge conflicts.
Solution 3 - Npm
See also https://github.com/npm/npm/issues/17749 which although claims the issue is 'fixed', it isn't. Removing node_modules
is a workaround.
There may be a relationship with operating systems. We're hitting this right now with developers on Linux and Windows platforms.
Solution 4 - Npm
As @Daniel Cumings I also had to remove the package-lock.json
to get rid of the sha1 hashes. Here's the Windows CLI commands for reference, which does the same as Daniel's script:
npm i -g npm
rd /s /q "node_modules"
del package-lock.json
npm cache clear --force
npm i
Solution 5 - Npm
I'm working in big team. Forcing every developer to force clean npm
cache is difficult and not reliable. Also, this doesn't help every time. So, for anyone who still facing this npm issue (same as me) and nothing else helps – try this git based tool I've built recently: https://github.com/kopach/lockfix. It reverts sha512 -> sha1
integrity changes of npm's lock files. If you add this to your postshrinkwrap
script of package.json
- you should eventually get all integrity properties set to sha512
and have lock file consistent.
npm install --save-dev lockfix
"scripts": {
"postshrinkwrap": "lockfix",
},
Solution 6 - Npm
If you're using npm
v5 or later, and you're seeing the integrity hashes changing from sha512 back to sha1, one way to remedy that without removing your package-lock.json
is to do the following:
- Remove all the sha1 integrity hashes from your
package-lock.json
(do not remove yourpackage-lock.json
); for example:diff --git a/package-lock.json b/package-lock.json index 6374e258..05f77ec8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -56,12 +56,10 @@ "@babel/core": { "version": "7.9.6", "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.9.6.tgz", - "integrity": "sha1-X+QF1VU04G078GD4anmTXNpfZhU=" }, "@babel/parser": { "version": "7.9.6", "resolved": "https://registry.npmjs.org/npm-adobe-release/@babel/traverse/-/traverse-7.9.6.tgz", - "integrity": "sha1-fGzlDyLGPvCJNpHXPZrCdGz7QSY=" },
- Remove your
node_modules
:rm -rf node_modules
- Clear the npm cache:
npm cache clean --force
- Install the packages:
npm install
This should result in your package-lock.json
updated with the sha512 integrity hashes.
Solution 7 - Npm
In my case npm -g i npm
was not enough, I had to modify PATH to point new npm at begining.
To check it without modification try /usr/local/bin/npm i
instead of npm i
.
Solution 8 - Npm
Further building on previous comments and suggestions, for me I needed to wipe the existing node_modules folder, the cache, and then grab the sha512 package-lock.json file from git (which was committed from another computer), and finally do an npm i. Something like this:
npm i -g npm
rm -rf node_modules/
npm cache clear --force
git reset --hard
npm i
After this package-lock.json used sha512 and other changes stabilized.