@stevedennis - that's great, many thanks!
Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
A
alexjeffreys_3320
@alexjeffreys_3320
0
Reputation
3
Posts
1
Profile views
0
Followers
0
Following
Best posts made by alexjeffreys_3320
This user hasn't posted anything yet.
Latest posts made by alexjeffreys_3320
-
RE: npm missing sha512 integrityposted in Support
Hi @stevedennis
When I have been installing packages via registry.npmjs.org, npm is utilising the sha512 integrity for pretty much all packages. If I then set my default registry to switch to using proget, the npm install fails.
So in my case, I have been developing against the main npm registry (other than some private packages) and I'm setting up proget as part of a ci process which I want to use proget as the primary source for all packages.
I guess my workaround today would be to delete the package-lock.json and run a fresh npm install against proget registry, but this is not ideal - I don't really want to force all developers to MUST use proget instead of the core registry (for open-source packages).
I'm just trying to look at when the main npm registry started to roll out sha512 - I think around npm v5. It's pretty much the de-facto standard, so I would hope this is a strong argument for a feature request to be worked on, and hopefully not difficult to implement either.
So far as security is concerned, I guess it's fine if the whole trust model is "implicitly trust proget". If I've developed something and locked in to packages I've used from the core npm registry, I can no longer (easily) check that the packages proget has in its registry are authentic?
How should this proceed then, by creating a Feature Request?
Many thanks in advance
Alex
-
npm missing sha512 integrityposted in Support
When publishing or mirroring npm packages, the package only contains the sha1 based ".shasum" field and is missing the sha512 ".integrity" field.
I am trying this on proget free 5.3.24. It can easily be reproduced by using an "npm view" command on any package from a proget feed, either private, uploaded, or mirrored.
e.g.
npm view abbrev@1.1.1 --registry http://proget.local/npm/npm-mirror/ npm view abbrev@1.1.1 --registry https://registry.npmjs.org/[snip]
dist .tarball: https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz .shasum: f8f2c887ad10bf67f634f005b6987fed3179aac8 .integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==This ".integrity" metadata not being available on proget.
Is this not supported? If not, is this on the development roadmap?
Thank you