For some reason, the command yarn is modifying the file yarn.lock with a new property to every dependency: integrity.
Git diff:
+integrity sha1-zgBCgEX7t9AxwWp7+DV4nxU2arI=
I couldn't find documentation about it so my question is - What is it?
Asked
Active
Viewed 2.0k times
27
-
try this: https://github.com/yarnpkg/yarn/issues/2979 – gonephishing Nov 29 '18 at 15:13
-
It's the product of a SHA512 hash, converted to binary, and encoded in base64: `sha512sum
| awk '{ print $1 }' | xxd -r -p | base64 -w 88` – chb May 09 '23 at 20:35
2 Answers
15
That is used to detect whether the files have changed since the author originally published them. If the SHA hashes don't match because of file modifications, the integrity check fails.
The author pushes their code to a repository, and this field is used to make sure that what the repository sends out is identical to what the author produced.
The idea of an integrity field is described here: https://w3c.github.io/webappsec-subresource-integrity/#resource-integrity
3
the integrity was used to verify that versions and hashed values of the package contents in the project’s package.json match those in yarn’s or package's lock file. This helps to verify that the package dependencies have not been altered.
you can check this in yarn check --integrity
Luis Filipe
- 8,488
- 7
- 48
- 76
Amy Shieh
- 321
- 3
- 8