Skip to content

Commit

Permalink
Remove integrity SHAs for git depedency
Browse files Browse the repository at this point in the history 
It appears that different machines can produce different hashes for
git-based dependencies, so the npm team moved to completely remove
integrity checksums for them. Apparently these checksums were based
on gzipped archives, which are not guaranteed to be binary identical
for the same inputs across different CPU architectures. There is
still some cryptographic integrity defense as the dependency is
pinned to a git commit and that relies on the entire previous history
of the repo, as discussed in the later parts of this issue on npm.

npm/cli#2846
  • Loading branch information
@jaltekruse
jaltekruse committed Apr 14, 2022
1 parent 10f7fb7 commit a25d4df
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit a25d4df

Please sign in to comment.