fix: ignore integrity values for git dependencies (#123)

while this will not remove the values that are being ignored, it does ensure that we don't throw EINTEGRITY errors for git dependencies which expect a specific integrity value. see npm/rfcs#525
npm · Feb 23, 2022 · 3417714 · 3417714
1 parent 6026b73
commit 3417714
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/lib/git.js b/lib/git.js
@@ -38,6 +38,13 @@ const addGitPlus = url => url && `git+${url}`.replace(/^(git\+)+/, 'git+')
 class GitFetcher extends Fetcher {
   constructor (spec, opts) {
     super(spec, opts)
+
+    // we never want to compare integrity for git dependencies: npm/rfcs#525
+    if (this.opts.integrity) {
+      delete this.opts.integrity
+      log.warn(`skipping integrity check for git dependency ${this.spec.fetchSpec}`)
+    }
+
     this.resolvedRef = null
     if (this.spec.hosted) {
       this.from = this.spec.hosted.shortcut({ noCommittish: false })
@@ -194,7 +201,6 @@ class GitFetcher extends Fetcher {
   [_tarballFromResolved] () {
     const stream = new Minipass()
     stream.resolved = this.resolved
-    stream.integrity = this.integrity
     stream.from = this.from
 
     // check it out and then shell out to the DirFetcher tarball packer
@@ -304,7 +310,6 @@ class GitFetcher extends Fetcher {
         this[_readPackageJson](dir + '/package.json')
           .then(mani => this.package = {
             ...mani,
-            _integrity: this.integrity && String(this.integrity),
             _resolved: this.resolved,
             _from: this.from,
           }))

diff --git a/test/git.js b/test/git.js
@@ -412,7 +412,7 @@ t.test('basic stuff', async t => {
     scripts: { prepare: 'node prepare.js', test: 'node index.js' },
     files: ['index.js'],
     _id: 'repo@1.0.0',
-    _integrity: `${g.integrity}`,
+    _integrity: undefined, // _integrity should never be present for git deps npm/rfcs#525
     _resolved: `${remote}#${g.resolvedSha}`,
   })
   t.equal(await g.manifest(), gm, 'cached manifest')
@@ -423,6 +423,29 @@ t.test('basic stuff', async t => {
   fs.statSync(me + '/s/fooblz/package.json')
 })
 
+t.test('ignores integrity for git deps', async (t) => {
+  t.plan(3)
+  const logHandler = (level, msg) => {
+    t.equal(level, 'warn')
+    t.match(msg, /^skipping integrity check for/)
+  }
+
+  process.on('log', logHandler)
+  t.teardown(() => {
+    process.removeListener('log', logHandler)
+  })
+
+  // known invalid integrity
+  const fetcher = new GitFetcher(remote + '#' + REPO_HEAD, { cache, integrity: 'sha512-beeffeed' })
+  const manifest = await fetcher.manifest()
+  t.match(manifest, {
+    _id: 'repo@1.0.0',
+    _integrity: undefined, // _integrity should never be present for git deps npm/rfcs#525
+    _resolved: `${remote}#${fetcher.resolvedSha}`,
+  })
+  t.end()
+})
+
 t.test('weird hosted that doesnt provide any fetch targets', t => {
   const hosted = {
     git () {