Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. alexjeffreys_3320
    3. Posts
    A
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Posts made by alexjeffreys_3320

    • RE: npm missing sha512 integrity

      @stevedennis - that's great, many thanks!

      posted in Support
      A
      alexjeffreys_3320
    • RE: npm missing sha512 integrity

      Hi @stevedennis

      When I have been installing packages via registry.npmjs.org, npm is utilising the sha512 integrity for pretty much all packages. If I then set my default registry to switch to using proget, the npm install fails.

      So in my case, I have been developing against the main npm registry (other than some private packages) and I'm setting up proget as part of a ci process which I want to use proget as the primary source for all packages.

      I guess my workaround today would be to delete the package-lock.json and run a fresh npm install against proget registry, but this is not ideal - I don't really want to force all developers to MUST use proget instead of the core registry (for open-source packages).

      I'm just trying to look at when the main npm registry started to roll out sha512 - I think around npm v5. It's pretty much the de-facto standard, so I would hope this is a strong argument for a feature request to be worked on, and hopefully not difficult to implement either.

      So far as security is concerned, I guess it's fine if the whole trust model is "implicitly trust proget". If I've developed something and locked in to packages I've used from the core npm registry, I can no longer (easily) check that the packages proget has in its registry are authentic?

      How should this proceed then, by creating a Feature Request?

      Many thanks in advance

      Alex

      posted in Support
      A
      alexjeffreys_3320
    • npm missing sha512 integrity

      When publishing or mirroring npm packages, the package only contains the sha1 based ".shasum" field and is missing the sha512 ".integrity" field.

      I am trying this on proget free 5.3.24. It can easily be reproduced by using an "npm view" command on any package from a proget feed, either private, uploaded, or mirrored.

      e.g.

      npm view abbrev@1.1.1 --registry http://proget.local/npm/npm-mirror/
npm view abbrev@1.1.1 --registry https://registry.npmjs.org/

      [snip]

      dist
.tarball: https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz
.shasum: f8f2c887ad10bf67f634f005b6987fed3179aac8
.integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==

      This ".integrity" metadata not being available on proget.

      Is this not supported? If not, is this on the development roadmap?

      Thank you

      posted in Support
      A
      alexjeffreys_3320
    • 1 / 1