lirantal
commented
1 year ago @yoavain worked on something similar, maybe he could chime in (and yes, we'd appreciate a PR if this is in-line with expected functionality, thank you for suggesting!)
Closed kusalk closed 1 year ago
lirantal
commented
1 year ago @yoavain worked on something similar, maybe he could chime in (and yes, we'd appreciate a PR if this is in-line with expected functionality, thank you for suggesting!)
yoavain
commented
1 year ago I published a package that replaces sha1 with sha512.
Check it out.
I use it as a postinstall script.
Currently, it supports only npm
You can try it out:
npx fix-lockfile-integrityYou can read about CLI flags and configuration here: https://www.npmjs.com/package/fix-lockfile-integrity
kusalk
commented
1 year ago I published a package that replaces sha1 with sha512. Check it out. I use it as a
postinstallscript. Currently, it supports onlynpm
This is great, with a few changes I can adapt this to work with private npm registries. edit: And here we are - https://github.com/yoavain/fix-lockfile-integrity/pull/167
@yoavain worked on something similar, maybe he could chime in (and yes, we'd appreciate a PR if this is in-line with expected functionality, thank you for suggesting!)
After having a look at the above package, what I observed earlier may be a bug in the private registry implementation I am using. So perhaps not inline with expected functionality - maybe best to wait and see if there is demand for it?
yoavain
commented
1 year ago I published a package that replaces sha1 with sha512. Check it out. I use it as a
postinstallscript. Currently, it supports onlynpmThis is great, with a few changes I can adapt this to work with private npm registries. edit: And here we are - yoavain/fix-lockfile-integrity#167
@yoavain worked on something similar, maybe he could chime in (and yes, we'd appreciate a PR if this is in-line with expected functionality, thank you for suggesting!)
After having a look at the above package, what I observed earlier may be a bug in the private registry implementation I am using. So perhaps not inline with expected functionality - maybe best to wait and see if there is demand for it?
Right, that's why I explicitly handle only registry.npmjs.org.
Had issues with Jfrog Artifactory which always return SHA1
kusalk
commented
1 year ago Had issues with Jfrog Artifactory which always return SHA1
In my case, it looks like a very old internal/scoped packaged which Artifactory has not migrated correctly during an upgrade - so it has no sha512.
lirantal
commented
1 year ago Thanks for the conversation @kusalk and @yoavain for moderating 🤗
Is your feature request related to a problem? Please describe. Not all registries/packages resolve to sha512's.
Describe the solution you'd like Be able to provide a list of exempt package/version combinations.
Describe alternatives you've considered N/A
If there is any interest in such functionality, I've got a working PR I'd be happy to contribute :)