I suggest that it might be time to update some of the very old dependencies in this app (i.e. grunt 0.4.1 released April 2013) so that it will work with modern build systems.
npm install fails if it was run previously (In this case I ran it when I pulled v2.7, and just re-ran it after updating to v2.8).
$ npm install
WARN tarball tarball data for esprima@https://github.com/ariya/esprima/tarball/master (sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo=) seems to be corrupted. Trying one more time.
WARN tarball tarball data for esprima@https://github.com/ariya/esprima/tarball/master (sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo=) seems to be corrupted. Trying one more time.
npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting esprima@https://github.com/ariya/esprima/tarball/master:
npm ERR! Verification failed while extracting esprima@https://github.com/ariya/esprima/tarball/master:
npm ERR! sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo= integrity checksum failed when using sha1: wanted sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo= but got sha512-SVdIGYq0LOpiY9XZtA0lQW2/2yaylJnn/PCoHxQcPHljkT9L80Q8LOIyOMptNhDd53mOxRaStBofT7zPRozRsA== sha1-cr7xGPeqozHb0ANjhEbQiPyiEAc=. (6402157 bytes)
npm ERR! A complete log of this run can be found in:
npm ERR! ~/.npm/_logs/2018-11-12T00_57_32_205Z-debug.log
$
The problem is that npm 5.0+ (since May 2017) creates a package-lock.json which caches a hash for each module to ensure reproducibility. Unfortunately, there is a deep dependency on esprima/tarball/master. The hash for this dependency will change with each commit to esprima, unlike a versioned tarball, so the lock file is quickly unsatisfiable. The package lock system of npm is not designed to work with un-versioned dependencies like this -- all other dependencies reference a versioned tarball. The problem originates in the package.json file of jshint 1.1.0 (current version is 2.9.6 which does not require esprima at all), jshint 1.1.0 is a dependency of grunt-contrib-jshint 0.4.3 (current version is 2.0.0 which requires jshint ~2.9.6).
It is possible to work around this issue by removing or manually editing package-lock.json, but that defeats the benefits.
I suggest that it might be time to update some of the very old dependencies in this app (i.e. grunt 0.4.1 released April 2013) so that it will work with modern build systems.
npm installfails if it was run previously (In this case I ran it when I pulled v2.7, and just re-ran it after updating to v2.8).The problem is that npm 5.0+ (since May 2017) creates a
package-lock.jsonwhich caches a hash for each module to ensure reproducibility. Unfortunately, there is a deep dependency onesprima/tarball/master. The hash for this dependency will change with each commit to esprima, unlike a versioned tarball, so the lock file is quickly unsatisfiable. The package lock system of npm is not designed to work with un-versioned dependencies like this -- all other dependencies reference a versioned tarball. The problem originates in the package.json file of jshint 1.1.0 (current version is 2.9.6 which does not require esprima at all), jshint 1.1.0 is a dependency of grunt-contrib-jshint 0.4.3 (current version is 2.0.0 which requires jshint ~2.9.6).It is possible to work around this issue by removing or manually editing
package-lock.json, but that defeats the benefits.