npm install: Verfication failed while extracting

Question

READ BEFORE ANSWER: I've already solved this issue. It was a caching issue on the npm servers. Everything works fine after switching to GitHub packages. I've already accepted my own answer .

---

---

---

I have a project, which I want to deploy to elastic beanstalk but sometimes the deploy fails on the npm install script with the following message:

npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting @my-package@^1.2.0:
npm ERR! Verification failed while extracting @my-package@^1.2.0:
npm ERR! sha512-lQ...HA== integrity checksum failed when using sha512: wanted sha512-lQ...HA== but got sha512-nH...ow==. (4835509 bytes)

It fails even on packages which are severel weeks old.

I've tried:

• npm cache clean --force

• npm cache verify

• node_modules is in .npmignore

• package-lock.json is in .npmignore

• Writing a mail to support@npmjs.com, but they replying always with some helpless default replies without any solution or intention to help.

It fails even on new elastic beanstalk instances.

I have no idea how to solve this problem.

EDIT: I've also tried to delete the npm cache while preinstall script, but it doesn't work either.

EDIT2: My repo has no package-lock.json .

EDIT3: My .npmrc file has the following content

      //registry.npmjs.org/:_authToken=${NPM_TOKEN}
      unsafe-perm=true
      package-lock=false
      strict-ssl=false

EDIT4: I think it wasn't clear: It's a private package on the official npm registry. And it doesn't fail always. The current publish process includes several attempts to deploy on aws instance so long as it's succeed.

Answer 1

Have u try to delete package-lock.json?

OR

Try to delete npm and npm-cache folders

THEN

re-run npm install

Answer 2

Not exactly your case, but for those who run into the "integrity checksum failed" error the following might help. But first make sure you understand what's going on. npm tells you that the checksum from https://registry.npm.org doesn't match the one from package-lock.json . Either it changed in the registry, or...

Consider a line from the output:

npm ERR!
  sha512-lQ...HA==
integrity checksum failed when using sha512: wanted
  sha512-lQ...HA==
but got
  sha512-nH...ow==
. (4835509 bytes)

Find the package in package-lock.json by the first two integrity checksums ( sha512-lQ...HA== ), and put the third one ( sha512-nH...ow== ) into its "integrity" field.

More on it here .

Answer 3

It seems to be a caching issue at the npm servers. We've switched from npm to GitHub packages, everything works fine there.

Answer 4

It could be that the version of NPM on these instances are out of date. Could you try either: npm install -g npm

Have you made sure that when this is deployed to beanstalk that the package-lock file is not on the instance? - If you have a bad lock file it needs to be deleted and re-generated.

Short of that, would need more information as you seem to have exhausted a lot of options.

Answer 5

This can happen if you request a version that is not available on the registry.

With @my-package@^1.2.0 you're requesting a version between >=1.2.0 and <2.0.0. Could it be that on this registry there is only a version that is older than 1.2.0 or newer than 2.0.0? Npm will install whatever it gets and not raise an error here.

You can check the version you get in an npm install by looking into node_modules/my-package/package.json .

If this is not happening when doing a local npm install , check wether the npm registry Amazon uses is containing your my-package package.

You could try to add the official npm registry to your Beanstalk project to check if it was the Amazon npm registry that did not contain your package. See How to use a private npm registry on Elastic Beanstalk? how to do this.

Answer 6

• It seems to be a package-lock.json issue. As in this answer

If you have not pushed package-lock.json in your repo, it will be generated while running npm install. So it is always better to add package-lock.json in the repo to avoid inconsistent package-lock.json files across local machine and deployment machine.

Could you please try pushing a fresh package-lock.json file to the repo and try?

Answer 7

Have you tried bumping the version of my-package and then directly specifying an exact version rather than a range?

Answer 8

As a workaround, follow the below steps:

• Go to the project directory
• Remove the node_modules directory: rm -rf node_modules.
• Remove package-lock.json file: rm package-lock.json
• Clear the cache: npm cache clean --force
• Run npm install --verbose

If after following the above steps still the issue exists then please provide us the output of installation command with --verbose.

Answer 9

In my case, as razki alludes to, the version of npm/node on the build server differed significantly from the version on the developer's local computer. Updating to a close enough version got rid of this problem.
For example:
The build server had: npm/6.13.4 node/v12.14.1
The developer has: npm/6.14.8 node/v14.15.1.
The build server now: npm/6.14.10 node/v14.15.4

It seems the different versions calculate the sha differently for the same package. This is why removing the package-lock.json file can work in this particular situation - at least for a while, until the computer with the different version tries to build the project again.

Answer 10

Basically its concern about npm registery, Some home npm registery has been updated to another url.

You can run below command to see npm registery

npm config get registry

It should be set it

https://registry.npmjs.org/

If its not then run below command

npm config set registry https://registry.npmjs.org/

It will set npm registery. Now you can try again for

npm i

and it will install package successfully.