I did everything right… and npm throws EINTEGRITY errors!

Saturday, Sep 2 2017 in javascript

In my React book, I explain how to download your frontend project dependencies with npm; in this blog post I am going to explain how to recover from an oddball error that I’ve come across once or twice.

npm registers the version of a dependency your project needs in a file named package.json. After carefully registering your dependencies in package.json, you still get mismatches when running npm install on multiple machines. One reason this could happen is that dependencies of dependencies could change.

npm 5 solved this with the introduction of a new file, package-lock.json. Since version 5, npm stores a checksum of the packages in package-lock.json to ensure that what it downloads has not been tampered with. When the file does not match the checksum, it refuses to install the package as it could have been compromised.

Now you should be super-safe, right?

npm caches the packages you donwload, so you don’t keep re-fetching packages over the network when they’re already on your machine. Unfortunately the cache itself gets corrupted and you’ll get this error while trying to install your dependencies:

npm ERR! sha512-w0XZubFWn0Adlsapj9EAWX0FqWdO4tz8kc3RiYdWLh4k/V8PTb6i0SMgXt0vRM3zyKnT8tKO7mUlieRQHIjMNg== 
integrity checksum failed when using sha512: 
wanted sha512-w0XZubFWn0Adlsapj9EAWX0FqWdO4tz8kc3RiYdWLh4k/V8PTb6i0SMgXt0vRM3zyKnT8tKO7mUlieRQHIjMNg== 
but got sha512-ZaDQrX7E1dcPtQZVG9rFth+yjJctgMKIbLl85Jq5fprWK2R3hiOEXyHTXJ259dZ8P5WNELsuswv6CTPfNKj/8A==. 
(106057 bytes)

As far as I’ve manageed to understand, the issue here is that the cache doesn’t match package-lock.json any more. If you delete package-lock.json, you might solve the problem, but you lose integrity checking, so you should avoid that. What worked for me was running npm cache verify. The npm documentation does not specify what verify does exactly, besides ‘garbage collecting any unneeded data, and verifying the integrity of the cache index and all cached data’, but at least it removed the error. If you run out of options you could always try npm clean which clears every package from the cache. But don’t delete package-lock.json.

If you’re trying to manage a frontend project with npm, take a look at my React book for a tour of the basics.