Does your Javascript app throw an NPM EINTEGRITY error (that is anything starting with npm ERR! code EINTEGRITY
line) when installing npm packages (via npm install
command)? Then, we got the solution for all such problems.
TL;DR
Solution for all npm ERR! code EINTEGRITY
errors 🙏
$ cd <project_directory>
$ rm -rf package-lock.json npm-shrinkwrap.json node_modules
$ npm cache clean --force
$ npm cache verify
$ npm install
WARNING: One possible root cause for this can be fraudulent code changes (very unlikely to happen though). Therefore, you are highly advised to find the root cause on your own or with the support of package author or just report to an expert on the situation. If you clearly know the root cause and it is not harmful, there’s no need to worry of this error.
NOTE: If it keeps failing and you have intermediary network components like proxy devices, corporate filtering/caching mechanisms between your NPM environment and the target NPM registry, please verify that no packet loss / slowness / config errors / similar network issues are present in those connections.
Demystifying each error message
If you would like to dig into the each error message and learn the real root causes behind each error, please read on.
About NPM integrity checksum comparison
While your package.json
file is keeping track of NPM package name and version tags of your project dependencies
(top level npm packages you installed with npm install <package_name>
command),
the package-lock.json
file keeps track of their exact version references
and dependency tree resolved for both top-level packages and their dependant sub packages that
were actually downloaded and stored inside node_modules
directory.
To prevent byte level content mismatches, data corruptions, malicious content manipulations, and preserve
the data integrity of all the downloaded packages consistently,
the package-lock.json
file will also include SHA-512 checksum values of all the objects that were downloaded
and during each npm install
, NPM will compare and verify the downloading objects against these checksum values
saved in the file.
If the content inside any of such npm package gets changed (due to an intentional/unintentional attempt) between the remote and the local, its checksum value will also be different and that will cause a npm package integrity error.
This error can occur due to few root causes. Sometimes, you can exactly pinpoint them, but most times, you need to contact the package author/s of the failed dependency or your network people to clarify the root cause. Here’re few possible scenarios.
1. integrity checksum failed when using sha512 ... but got sha512
Full error:
npm WARN tarball tarball data for <package_name>@<package_version> (sha512-<long_hash_1>) seems to be corrupted. Trying one more time.
npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting <package_name>@<package_version>
npm ERR! Verification failed while extracting <package_name>@<package_version>
npm ERR! sha512-<long_hash_1> integrity checksum failed when using sha512-<long_hash_1> but got sha512-<long_hash_2> (<number> bytes)
npm ERR! A complete log of this run can be found in:
npm ERR! <npm_debug_log_file_location>
Error meaning:
- Clearly the checksum values of previously objects and the new objects are different, which means even though the package name and version tags are unchanged, the content has been changed. The root cause must be inspected because this type of content changes carries a risk too.
Possible reasons:
- Package author unpublishes the current package in your target NPM registry, do some content changes, and republish it with the same version tag (even though the version tag is unchanged, a new checksum value will be generated since the content is changed). This can often happen in private development environments, but highly unlikely to happen in the open source world.
- Proxy servers, intermediary caches, or target NPM registry can contain wrong package objects (due to data corruptions, network package losses, wrong package rebuilds, fraudulent activities, possible node/npm bugs, and many similar scenarios)
2. integrity checksum failed when using sha1: wanted sha1 ... but got sha512
Full error:
npm WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha1-<long_hash_1> integrity checksum failed when using sha1: wanted sha1-<long_hash_1> but got sha512-<long_hash_2> (<number> bytes)
Error meaning:
- Your NPM process expects a
sha1
-based checksum, but has receivedsha512
-based checksum (both of these are cryptographic hash functions that are secure against malicious changes)
Possible reasons:
- Your
package-lock.json
file has been generated by a newer NPM version which usessha512
while your local NPM version is old and usessha1
.
NOTE: In the past, for checksum generation, NPM used SHA1
method. The sha512
method is newer
and better than sha1
. Therefore, NPM moved from sha1
to sha512
.
Even though you can fix this error by applying the above solution,
it is advised for you to update the local NPM version via npm i -g npm
and start using
sha512
in the future.
3. integrity checksum failed when using sha512: wanted sha512 ... but got sha1
Full error:
npm WARN registry Unexpected warning for https://registry.npmjs.org/: Miscellaneous Warning EINTEGRITY: sha512-<long_hash_1> integrity checksum failed when using sha512: wanted sha512-<long_hash_1> but got sha1-<long_hash_2> (<number> bytes)
Error meaning:
- Your NPM process expects a
sha512
-based checksum, but has receivedsha1
-based checksum (i.e. exact opposite of the above scenario).
Possible reasons:
- Your
package-lock.json
file has been generated by an old NPM version which usessha1
while your NPM version is new and usessha512
.
NOTE: Like mentioned in #2, this has occurred due to mismatch in NPM checksum calculation methods.
Even though you can fix this error by applying the above solution,
it is advised for you to update the remote NPM versions via npm i -g npm
and start using
sha512
everywhere.
4. npm ERR! shasum check failed for ... npm ERR! Expected: ... npm ERR! Actual: ...
Full error:
npm ERR! shasum check failed for <local_file_location>
npm ERR! Expected: <long_hash_1>
npm ERR! Actual: <long_hash_2>
npm ERR! From: <remote_file_location>
Error meaning:
- Again this is a mismatch in checksum values of the newly-downloading objects and the ones mentioned
in
package-lock.json
file.
Possible reasons:
- This can occur due to the same reasons mentioned in #1.
Leave a comment