sha1 vs sha512 integrity

triaged

(Bence Dányi) #1

What I Wanted to Do

Bump packages in package-lock.json, so every package has sha512 checksums.

What Happened Instead

Some packages have sha512 checksums, some have sha1.

Reproduction Steps

$ node -v && npm -v && rm -rf node_modules package-lock.json && echo '{"dependencies":{"react-redux":"4.4.9"}}' > package.json && npm cache clean --force && npm i && grep sha1 package-lock.json | wc -l && grep sha512 package-lock.json | wc -l

v10.12.0
6.4.1
npm WARN using --force I sure hope you know what you are doing.
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN react-redux@4.4.9 requires a peer of react@^0.14.0 || ^15.0.0-0 || ^15.4.0-0 || ^16.0.0-0 but none is installed. You must install peer dependencies yourself.
npm WARN react-redux@4.4.9 requires a peer of redux@^2.0.0 || ^3.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN tmp No description
npm WARN tmp No repository field.
npm WARN tmp No license field.

added 22 packages from 96 contributors and audited 32 packages in 2.226s
found 0 vulnerabilities

       8
      14

Details

Is this the expected behavior? I though npm is always trying to use the strongest hash algo.

Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.12.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.35',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

(Kat Marchán) #2

Only packages published with npm@5 or later will include a sha512. This is working as intended.


(Bence Dányi) #3

i see, thanks for the clarification!