Adds an auto-add-integrity option #6255
Conversation
|
I don't think we have to, the switch requires an explicit acknowledgement anyway (since it defaults to true), and missing integrity isn't deprecated, since we'll likely always have to support them. |
|
Regarding always having to support fields without integrity: why is that? I was thinking that a couple more PRs (adding github, urls, local files, etc.) and we can get rid of the shasum and move everything to the integrity field (similar to the way About explicitivity (that's a word, right?): I'm just worried that people can add it to their file, forget about it and then have everything crash and burn once we (hopefully) remove shasums* from the lockfile. *by removing shasums I just mean moving the "url suffix" we're currently using to the integrity field. I'm not discussing algorithms, sha1/sha512, etc. |
|
Oh I see what you mean - if users don't switch now to the integrity field, then they will lose some security once we stop supporting them (it won't "crash and burn" because we would just not run the validation if it's missing, I guess). Yeah, that's true. Still, we have a lot of warning messages already, and I'm a bit afraid this one will get lost in the middle and be ignored :( |
|
Makes sense... How about taking a page from the React book and calling the config something like |
|
Good for me 👍 I'll prefix the name with |
|
Renamed the yarnrc field to |
|
Tests are passing except for a timeout - @imsnif, all good for you? |
|
Yep, looks cool! |
Summary
This PR gives a way to disable the behavior that makes Yarn automatically add the integrity in the package.json if it is missing. This helps large codebases to adapt (they won't be blocked until the change can be done).
Note that this PR doesn't obsolete #6248 - I'll have to rebase one of them, but they both are valid on their own.
Test plan
Added a test 👍