Pauan
commented
4 years ago Just a note that since 2017 both yarn and npm use sha512 by default (sha1 is only used for compatibility with legacy packages).
The integrity field in the yarn.lock file contains the sha512.
grahamc
sha1 is pretty broken: https://sha-mbles.github.io/
I think it is time to force a move to sha256. If npm isn't providing better than sha1, I think we should fetch the file, validate the sha1 matches, and then calculate a sha256.
What do you think about that? Right now, yarn2nix-built packages represent the vast majority of sha1 references in Nixpkgs, which we're trying to get rid of: https://github.com/NixOS/nixpkgs/issues/77238