npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Support Q - how does NPM generate the shasum for a publish NPM package

the shasum that is retrieved by:

npm view foo@latest dist.shasum

seems to be generated by

cd foo && sha1sum $(npm pack)

my question is - how does that work, and how meaningful is that shasum value?

It’s generated by ssri on publish and used to verify data. npm will use the dist.integrity field and fall back to dist.shasum to verify tarballs downloaded from the registry. It does this once on download and subsequently once every time you install from the npm cache

This is how npm guarantees that your data is not corrupted.

See also the actual code that generates it:

Verification happens in various places in pacote