search

nodejs / docker-node

Official Docker Image for Node.js :whale: :turtle: :rocket:
https://hub.docker.com/_/node/
MIT License
8.13k stars 1.95k forks source link

npm on node:20.11-alpine3.18 fails with "Someone might have tampered with these packages since they were published on the registry!" #2047

Closed mitar closed 3 months ago

mitar commented 3 months ago

Environment

Expected Behavior

npm correctly installs packages.

Current Behavior

Since few days ago, installing npm packages inside node:20.11-alpine3.18 image is failing with:

Someone might have tampered with these packages since they were published on the registry!

Possible Solution

It looks like npm should be upgraded to 10.5.0 or newer:

https://github.com/npm/cli/issues/7279

mitar commented 3 months ago

Why was this closed? Why not update npm in the Docker image for everyone?

SimenB commented 3 months ago

https://github.com/nodejs/docker-node/blob/e5ffb12d5d0e763d68e2766e8345faeb53d29a0f/CONTRIBUTING.md?plain=1#L9

mitar commented 3 months ago

Thanks. But this now means that everyone using this package has effectively broken npm and has to increase their CI running time by upgrading npm first (after figuring out that one has to upgrade npm and that it is not that somebody is tampering with packages). I think this warrants an exception to the rule cited above.