Skip to content

Commit

Permalink
Remove integrity SHAs for git depedencies
Browse files Browse the repository at this point in the history 
It appears that different machines can produce different hashes for
git-based dependencies, so the npm team moved to completely remove
integrity checksums for them. Apparently these checksums were based
on gzipped archives, which are not guaranteed to be binary identical
for the same inputs across different CPU architectures. There is
still some cryptographic integrity defense as the dependency is
pinned to a git commit and that relies on the entire previous history
of the repo, as discussed in the later parts of this issue on npm.

npm/cli#2846
  • Loading branch information
@jaltekruse
jaltekruse committed Mar 23, 2022
1 parent 6015ae7 commit 543042c
Showing 1 changed file with 0 additions and 4 deletions.
4 changes: 0 additions & 4 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 543042c

Please sign in to comment.