What is the integrity property inside yarn.lock file?

About

Asked 29/11, 2018 at 13:43 Answered 18/11, 2019 at 3:15

Solved javascript yarnpkg yarn-lock.json

For some reason, the command yarn is modifying the file yarn.lock with a new property to every dependency: integrity.

Git diff:

+integrity sha1-zgBCgEX7t9AxwWp7+DV4nxU2arI=

I couldn't find documentation about it so my question is - What is it?

Paugh answered 29/11, 2018 at 13:43 Comment(2)

try this: github.com/yarnpkg/yarn/issues/2979 – Holt 29/11, 2018 at 15:13

It's the product of a SHA512 hash, converted to binary, and encoded in base64: sha512sum <tarball> | awk '{ print $1 }' | xxd -r -p | base64 -w 88 – Bracelet 9/5, 2023 at 20:35

That is used to detect whether the files have changed since the author originally published them. If the SHA hashes don't match because of file modifications, the integrity check fails.

The author pushes their code to a repository, and this field is used to make sure that what the repository sends out is identical to what the author produced.

The idea of an integrity field is described here: https://w3c.github.io/webappsec-subresource-integrity/#resource-integrity

Martinemartineau answered 29/11, 2018 at 21:44 Comment(1)

Thanks for this info. Is this documented anywhere in yarn? – Coriss 25/9, 2020 at 22:26

the integrity was used to verify that versions and hashed values of the package contents in the project’s package.json match those in yarn’s or package's lock file. This helps to verify that the package dependencies have not been altered.

you can check this in yarn check --integrity

Ragucci answered 18/11, 2019 at 3:15 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags