The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Support Q - how does NPM generate the shasum for a publish NPM package
the shasum that is retrieved by:
npm view foo@latest dist.shasum
seems to be generated by
cd foo && sha1sum $(npm pack)
my question is - how does that work, and how meaningful is that shasum value?
It’s generated by
ssri on publish and used to verify data. npm will use the
dist.integrity field and fall back to
dist.shasum to verify tarballs downloaded from the registry. It does this once on download and subsequently once every time you install from the npm cache
This is how npm guarantees that your data is not corrupted.
See also the actual code that generates it:
Verification happens in various places in