fix: fallback to shasum when integrity is not defined (#542)

Some npm registries do not define an `integrity` field, in which case we can try using the `shasum` field instead.
nodejs · Jul 21, 2024 · eb63873 · eb63873
1 parent 93a49c8
commit eb63873
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 5 deletions.
diff --git a/sources/npmRegistryUtils.ts b/sources/npmRegistryUtils.ts
@@ -62,7 +62,7 @@ export function verifySignature({signatures, integrity, packageName, version}: {
 export async function fetchLatestStableVersion(packageName: string) {
  const metadata = await fetchAsJson(packageName, `latest`);
 
- const {version, dist: {integrity, signatures}} = metadata;
+ const {version, dist: {integrity, signatures, shasum}} = metadata;
 
  if (!shouldSkipIntegrityCheck()) {
  verifySignature({
@@ -71,7 +71,11 @@ export async function fetchLatestStableVersion(packageName: string) {
  });
  }
 
- return `${version}+sha512.${Buffer.from(integrity.slice(7), `base64`).toString(`hex`)}`;
+ return `${version}+${
+ integrity ?
+ `sha512.${Buffer.from(integrity.slice(7), `base64`).toString(`hex`)}` :
+ `sha1.${shasum}`
+ }`;
 }
 
 export async function fetchAvailableTags(packageName: string) {

diff --git a/tests/_registryServer.mjs b/tests/_registryServer.mjs
@@ -87,7 +87,7 @@ const registry = {
 function generateSignature(packageName, version) {
  if (privateKey == null) return undefined;
  const sign = createSign(`SHA256`).end(`${packageName}@${version}:${integrity}`);
- return {signatures: [{
+ return {integrity, signatures: [{
  keyid,
  sig: sign.sign(privateKey, `base64`),
  }]};
@@ -100,10 +100,8 @@ function generateVersionMetadata(packageName, version) {
  [packageName]: `./bin/${packageName}.js`,
  },
  dist: {
- integrity,
  shasum,
  size: mockPackageTarGz.length,
- noattachment: false,
  tarball: `https://registry.npmjs.org/${packageName}/-/${packageName}-${version}.tgz`,
  ...generateSignature(packageName, version),
  },

diff --git a/tests/main.test.ts b/tests/main.test.ts
@@ -887,6 +887,30 @@ it(`should download yarn berry from custom registry`, async () => {
  });
 });
 
+it(`should download latest pnpm from custom registry`, async () => {
+ await xfs.mktempPromise(async cwd => {
+ process.env.AUTH_TYPE = `COREPACK_NPM_TOKEN`; // See `_registryServer.mjs`
+ process.env.COREPACK_DEFAULT_TO_LATEST = `1`;
+ process.env.COREPACK_INTEGRITY_KEYS = `0`;
+
+ await xfs.writeJsonPromise(ppath.join(cwd, `package.json` as Filename), {
+ });
+
+ await expect(runCli(cwd, [`pnpm`, `--version`], true)).resolves.toMatchObject({
+ exitCode: 0,
+ stdout: `pnpm: Hello from custom registry\n`,
+ stderr: /^! The local project doesn't define a 'packageManager' field\. Corepack will now add one referencing pnpm@1\.9998\.9999@sha1\./,
+ });
+
+ // Should keep working with cache
+ await expect(runCli(cwd, [`pnpm`, `--version`])).resolves.toMatchObject({
+ exitCode: 0,
+ stdout: `pnpm: Hello from custom registry\n`,
+ stderr: ``,
+ });
+ });
+});
+
 for (const authType of [`COREPACK_NPM_REGISTRY`, `COREPACK_NPM_TOKEN`, `COREPACK_NPM_PASSWORD`, `PROXY`]) {
  describe(`custom registry with auth ${authType}`, () => {
  beforeEach(() => {