feat(tarball): add shasum from tarball when appropriate

[imsnif]

Heya!

This is the result some work done in relation to the discussion here: yarnpkg/yarn#5654

When I started writing it, I thought this was an issue but then saw the tests specifically looking for that null value (mentioning: // shasums are only when provided). So I hope this is a wanted change! In my eyes it would be consistent with the rest of the behaviour. (I personally need this to facilitate lockfile conversion). But of course, if there's something I'm missing...

Current Behavior:

pacote.manifest('ansi-regex@https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz')

// Manifest {
//  ...
//  _integrity: 'sha512-TIGnTpdo+...',
//  _shasum: null
// }

After this PR:

pacote.manifest('ansi-regex@https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz')

// Manifest {
//  ...
//  _integrity: 'sha512-TIGnTpdo+...',
//  _shasum: 'c3b33ab5ee360d86e0e628f0468ae7ef27d654df'
// }

[zkat]

You may want to add a similar exception for when the shasum is completely missing so we calculate it. See: https://github.com/zkat/pacote/blob/latest/lib/finalize-manifest.js#L143

[imsnif]

@zkat - right! So I made the adjustment (and also adjusted some fixtures in the process).
I thought about optimizing this further by only requesting the relevant algorithms from ssri.fromStream here: https://github.com/zkat/pacote/pull/149/files#diff-d97a032389356a12ced608284b9c55edR158
I decided against it because I had the feeling it would mostly complicate the code. What do you think?

[zkat]

Tests seem to be passing pretty consistently now.

Why are node streams so bad?!

[zkat]

This mostly looks good! One tiny change left that I missed 👍

[zkat]

This should probably be hash.sha512.toString(), since we don't currently put sha1s into the integrity field.

[zkat]

Actually I'll just patch this myself real quick. This is good to merge in general. No need for more back-and-forth :)

fixed it meself

[imsnif]

@zkat - that's great! Just one more suggestion if I may: With your change, maybe we can toss this line? https://github.com/zkat/pacote/pull/149/files#diff-d97a032389356a12ced608284b9c55edR169

[zkat]

oh! That's how you were doing it. I wondered why the tests were still passing. haha

[zkat]

sorry for the rush -- didn't realize you were available and I just wanted to merge this, since I'm starting to put the release together. npm@6 is going out tomorrow :)

[imsnif]

I actually just happened to walk in through the door. :)
On the contrary though - I very much appreciate the expedience!

[zkat]

omg this is what I get for editing everything on github

[imsnif]

Wait, doesn't everyone code like that?