yarn install sporadically fails with integrity check failure

Do you want to request a feature or report a bug?
bug

What is the current behavior?
When running yarn install (on our CI) we are finding that random dependencies fail to download due to integrity check failures:

e.g.

yarn install --pure-lockfile error https://registry.yarnpkg.com/react-style-proptype/-/react-style-proptype-3.2.1.tgz: Integrity check failed for "react-style-proptype" (computed integrity doesn't match our records, got "sha512-znIMso2zjWI0V3Ne7hQcOB5HOXdPpJ0HsGw4GBs/uEmVLaN46acxHi5B0PXwOnEzSQ46hp0arB+khsFh/sVIxg==")

If the current behavior is a bug, please provide the steps to reproduce.
Have a somewhat yarn project setup with a somewhat large number of dependencies – keep yarn installing until integrity check fails.

What is the expected behavior?
No integrity checks occur

Please mention your node.js, yarn and operating system version.
node: v10.9.0
yarn: v1.10.0
OS: NixOS (Linux)

This could possibly be occurring due to network failures on our end, but I don’t consider this likely considering our build machines are EC2 instances with solid internet connections.

As a workaround for now, we are rolling back to v1.9.4

Author: Fantashit

10 thoughts on “yarn install sporadically fails with integrity check failure

  1. @Dahaden Can you share details regarding the errors? In particular:

    • do you use --frozen-lockfile?
    • did your lockfile contain the new integrity field, or was it the same one than for the 1.9.4?

    The 1.10 ships with the new integrity feature, which requires us to migrate your lockfiles by querying the npm registry for each dependency in order to add the field. If done during CI, it could increase the opportunities for the registry to return an 500 somewhere. If the integrity fields were added before being checked-in, that would alleviate the issue (since the CI wouldn’t have to query the network for this anymore) cc @imsnif

    If you have the opportunity to retry the 1.10, can you add the following line into a .yarnrc file at the root of your repository? This should prevent Yarn from adding the integrity field if it is missing, which will help us determine if this is the cause of the issue or not.

    unsafe-disable-integrity-migration true
    
  2. another strange thing is that if I do the following things:

    • remove yarn.lock
    • run yarn (it will change from sha1 to sha512)
    • remove yarn.lock
    • run yarn (it will change from sha512 to sha1)
    • this will keep happening

    config:

    yarn config v1.12.3
    verbose 0.282 Checking for configuration file "/Users/sibelius/Dev/e/f/f-server/.npmrc".
    verbose 0.283 Checking for configuration file "/Users/sibelius/.npmrc".
    verbose 0.283 Found configuration file "/Users/sibelius/.npmrc".
    verbose 0.284 Checking for configuration file "/usr/local/etc/npmrc".
    verbose 0.284 Checking for configuration file "/Users/sibelius/Dev/e/f/f-server/.npmrc".
    verbose 0.285 Checking for configuration file "/Users/sibelius/Dev/e/f/.npmrc".
    verbose 0.285 Checking for configuration file "/Users/sibelius/Dev/e/.npmrc".
    verbose 0.285 Checking for configuration file "/Users/sibelius/Dev/.npmrc".
    verbose 0.285 Checking for configuration file "/Users/sibelius/.npmrc".
    verbose 0.285 Found configuration file "/Users/sibelius/.npmrc".
    verbose 0.286 Checking for configuration file "/Users/.npmrc".
    verbose 0.29 Checking for configuration file "/Users/sibelius/Dev/e/f/f-server/.yarnrc".
    verbose 0.29 Found configuration file "/Users/sibelius/Dev/e/f/f-server/.yarnrc".
    verbose 0.29 Checking for configuration file "/Users/sibelius/.yarnrc".
    verbose 0.29 Found configuration file "/Users/sibelius/.yarnrc".
    verbose 0.291 Checking for configuration file "/usr/local/etc/yarnrc".
    verbose 0.291 Checking for configuration file "/Users/sibelius/Dev/e/f/f-server/.yarnrc".
    verbose 0.291 Found configuration file "/Users/sibelius/Dev/e/f/f-server/.yarnrc".
    verbose 0.291 Checking for configuration file "/Users/sibelius/Dev/e/f/.yarnrc".
    verbose 0.291 Found configuration file "/Users/sibelius/Dev/e/f/.yarnrc".
    verbose 0.292 Checking for configuration file "/Users/sibelius/Dev/e/.yarnrc".
    verbose 0.292 Checking for configuration file "/Users/sibelius/Dev/.yarnrc".
    verbose 0.292 Checking for configuration file "/Users/sibelius/.yarnrc".
    verbose 0.292 Found configuration file "/Users/sibelius/.yarnrc".
    verbose 0.292 Checking for configuration file "/Users/.yarnrc".
    verbose 0.301 current time: 2018-11-08T11:36:25.250Z
    info yarn config
    { 'version-tag-prefix':
      'v',
     'version-git-tag':
      true,
     'version-commit-hooks':
      true,
     'version-git-sign':
      false,
     'version-git-message':
      'v%%s',
     'init-version':
      '1.0.0',
     'init-license':
      'MIT',
     'save-prefix':
      '^',
     'bin-links':
      true,
     'ignore-scripts':
      false,
     'ignore-optional':
      false,
     registry:
      'https://registry.yarnpkg.com',
     'strict-ssl':
      true,
     'user-agent':
      'yarn/1.12.3 npm/? node/v10.13.0 darwin x64',
     lastUpdateCheck:
      1541611519487,
     'unsafe-disable-integrity-migration':
      true,
     'yarn-offline-mirror':
      '/Users/sibelius/Dev/e/f/f-server/yarn-offline-cache',
     'yarn-offline-mirror-pruning':
      true,
     'experimental-pack-script-packages-in-mirror':
      true }
    info npm config
    { 'init.author.name':
      'Sibelius Seraphini',
     'init.author.email':
      'sibeliusseraphini@gmai.com',
     'init.author.url':
      'https://github.com/sibelius',
     '//registry.npmjs.org/:_authToken':
      'blah',
     progress:
      true,
     python:
      '/usr/bin/python' }

    yarn-offline-mirror could be the problem?

  3. here are two prints of what keep happening with mongodb-memory-server

    image

    image

    mongodb-memory-server@2.7.0:
      version "2.7.0"
      resolved "https://registry.yarnpkg.com/mongodb-memory-server/-/mongodb-memory-server-2.7.0.tgz#663345e8fe38e3b76c703fcc94f691c192fcbd66"
    - integrity sha512-T9zBEN3/y7/s4F83B2jAlLHtjjSEp50GQ2J0b7QMbAwM/G7Rkxzdf3cCfzOChDBfI0lQto09EOTdDam6mm0REQ==
    + integrity sha1-M2tbFYi0Q8ExxGJmGySYCdh3/qY=
      dependencies:
        "@babel/runtime" "^7.1.2"
        debug "^4.1.0"

    then

    mongodb-memory-server@2.7.0:
      version "2.7.0"
      resolved "https://registry.yarnpkg.com/mongodb-memory-server/-/mongodb-memory-server-2.7.0.tgz#663345e8fe38e3b76c703fcc94f691c192fcbd66"
    -integrity sha512-T9zBEN3/y7/s4F83B2jAlLHtjjSEp50GQ2J0b7QMbAwM/G7Rkxzdf3cCfzOChDBfI0lQto09EOTdDam6mm0REQ==
    +integrity sha1-M2tbFYi0Q8ExxGJmGySYCdh3/qY=
      dependencies:
        "@babel/runtime" "^7.1.2"
        debug "^4.1.0"

    same machine, same yarn (I’m using 1.12.3 now)

  4. It could happen when you are using yarn local cache with the yarn registry set to a 3rd party mirror which does not yet provide the integrity field, e.g. the taobao mirror https://registry.npm.taobao.org.

  5. I’m having similar sporadical fails, when using offline and verdaccio registry proxy.

    in fact, if i repeat the cycle, i still end up with error on accepts-1.3.5.tgz:

    $ yarn cache clean
    $ rm -rf node_modules/ npm-packages-offline-cache/
    $ yarn install --update-checksums
    ...
    
    $ rm -rf node_modules/ npm-packages-offline-cache/
    $ yarn cache clean
    ...
    $ yarn
    yarn install v1.13.0
    [1/4] 🔍  Resolving packages...
    [2/4] 🚚  Fetching packages...
    error https://npm.example.net/@types%%2faccepts/-/accepts-1.3.5.tgz: Integrity check failed for "@types/accepts" (computed integrity doesn't match our records, got "sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==")
    info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
    

    and yarn.lock is updated for some random packages, but not accepts-1.3.5.tgz

    btw, if i have the accepts-1.3.5.tgz tarball, how to build that sha512 checksum in that encoding thats used in lockfile?

  6. #7499 did not work for me, I manually updated to 1.18.0 (should include this pr) and I am still seeing this when hitting the github package registry (GPR).

    [2/4] 🚚  Fetching packages...
    error https://npm.pkg.github.com/download/@alienfast/i18next-loader/1.1.0/215f48fb0d26ca943010d6b7c053ec56056e6b708bf34090c135d4655fc41af6: Integrity checked failed for "@alienfast/i18next-loader" (none of the specified algorithms are supported)
    info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
    ~/p/tools ❯❯❯ yarn --version                                                                                                                                                                                                       ✘ 1 
    1.18.0
    

    I am unsure if my problem is actually specific to GPR or the same as this issue.

    EDIT: yarn --update-checksums seems to have worked, even though I cleaned cache and local on previous attempts.

  7. ^^^ Joining the chorus: We’ve had huge problems with integrity check failures, and socket connection failures, on 1.19.0. Dropping our pipelines back to 1.18.0 resolves the issues.

  8. yarn v1.19.1
    Following @rosskevin reply, I’ve tried yarn –update-checksums before running yarn install, and it works like a charm

    pre_build:
      commands:
        - echo ">> installing dependencies"
        - yarn --update-checksums # Update checksums in the yarn.lock lockfile if there’s a mismatch between them and their package’s checksum.
        - yarn install
        - yarn lint
        - yarn tsc
        - yarn test

Comments are closed.