Support Q - how does NPM generate the shasum for a publish NPM package

(Operations Research Engineering Software+) #1

the shasum that is retrieved by:

npm view foo@latest dist.shasum

seems to be generated by

cd foo && sha1sum $(npm pack)

my question is - how does that work, and how meaningful is that shasum value?

(Kat Marchán) #2

It’s generated by ssri on publish and used to verify data. npm will use the dist.integrity field and fall back to dist.shasum to verify tarballs downloaded from the registry. It does this once on download and subsequently once every time you install from the npm cache

This is how npm guarantees that your data is not corrupted.

See also the actual code that generates it:

Verification happens in various places in pacote

(system) #3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.