Corrupted SHA checksum integrity

[Thebarda]

Hello there,

I receive the following when running the command npm ci:

npm ERR! code EINTEGRITY
npm ERR! sha512-/u1Tm9NF/44PqJ6/ShazfPQBfbUW2oYSsN+mHhafRI2w7qRixN4iOZ8eTv9EsxxDWD2K0Lm0z8KwE43PuYTfIw== integrity checksum failed when using sha512: wanted sha512-/u1Tm9NF/44PqJ6/ShazfPQBfbUW2oYSsN+mHhafRI2w7qRixN4iOZ8eTv9EsxxDWD2K0Lm0z8KwE43PuYTfIw== but got sha512-4Ao8AU+x9cruj2ApLDU6GWcN3L4L78ZEXwkgAofNqE9iiDAZ2J1o5M1kPyw7z8sw5pqbWaGSHKDAdLlNI72vww==. (3292993 bytes)

The dependency was not updated between the initial install and the npm ci.

I think, it might be better to store the commit id rather than a checksum that might differ even though a library is not updated

[EqualMa]

Hi. This is npm behavior. GitPkg serves that tgz file, npm calculates a shasum for it.

The shasum might change for various reasons:

• The code in that repo changed.
• When GitPkg updates, the shasum of the gzipped-tar might change even though the unzipped contents don't change. This might be related to gzip algorithm parameters are changed implicitly. I am looking into this issue.

[SimplyCorey]

Has anyone found a workaround for this? I had my CI pipelines break randomly this morning for packages using gitpkg.