Checksum error

[frikiluser]

Hi,

I'm trying to build silvermine/videojs-chromecast and silvermine/videojs-airplay and I've got the following error in both cases:

npm ERR! sha512-KrYZzR9lTlVRXlq6wlvxwn5zBIIVto0DQyB2o//kUUMcAUaB2uYRSmzsVgjSu93NjjMz3C/IwoDysqTBUe5bEw== integrity checksum failed when using sha512: wanted sha512-KrYZzR9lTlVRXlq6wlvxwn5zBIIVto0DQyB2o//kUUMcAUaB2uYRSmzsVgjSu93NjjMz3C/IwoDysqTBUe5bEw== but got sha512-94PNadur6JfRFG6YN4F0fd2k596PYY7rTsHY1d5KjOjNGSzTSx41C+1cDZLkyXKDQfenJe7j0n+m50LoQ/9PjQ==. (2278 bytes)

The package-lock.json in both projects contain:

    "node_modules/silvermine-serverless-utils": {
      "version": "0.1.0",
      "resolved": "git+ssh://git@github.com/silvermine/serverless-utils.git#910f1149af824fc8d0fa840878079c7d3df0f414",
      "integrity": "sha512-KrYZzR9lTlVRXlq6wlvxwn5zBIIVto0DQyB2o//kUUMcAUaB2uYRSmzsVgjSu93NjjMz3C/IwoDysqTBUe5bEw==",
      "dev": true,
      "license": "MIT"
    },

Removing integrity line workarounds the problem.

[jthomerson]

@pbredenberg is this related to recent Node upgrades?

[frikiluser]

Tested with npm=7.5.2 and node=18.13.0.

npm update before npm install solves the problem.

May the package-lock.json file be removed from the repository? Sorry I'm not a js guy 😅

[pbredenberg]

Hi @frikiluser - I just tested this using Node.js 18.13.0 and NPM 7.5.2, and I was able to build videojs-chromecast 1.3.4 with grunt build and wasn't able to reproduce this issue.

Could you share what version of silvermine/videojs-chromecast and silvermine/videojs-airplay you're trying to build?

[frikiluser]

Hi @pbredenberg It failed with npm install unless I run npm update before.

[pbredenberg]

Hi @pbredenberg It failed with npm install unless I run npm update before.

Thanks for your reply. I understand what you're telling me from the thread here so far, but can you please let me know specifically which versions of the two libraries you are trying to build? Are they the very latest?

[frikiluser]

which versions of the two libraries you are trying to build? Are they the very latest?

Last tagged releases

[pbredenberg]

@frikiluser this issue doesn't appear to be related to serverless-utils, and I'm not able to reproduce it. If you can provide a MRE demonstrating the problem, I'd be happy to look further.

To directly answer your question as to whether we can remove the package-lock.json file, there are many reasons they are important to have in every project. These are stated in NPM's documentation if you're interested in taking a look.

Not directly stated in the above document, but still important nonetheless, is the value of the dependency's integrity field which is causing your issues. NPM verifies this SHA hash against the compressed tarball of each dependency, and if there is a mismatch, it will throw an error. There are several reasons this could happen, but most likely there was a problem downloading the package initially, causing the tarball to become corrupt, thus this check would fail.

In some cases, removing the node_modules/ directory and the package-lock.json file, then running npm install again (rebuilding the dependency tree) will fix the problem.