Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm install changes integrity hashes back to SHA1 in package-lock.json #450

Closed
Ionaru opened this issue Nov 8, 2019 · 5 comments
Closed

[BUG] npm install changes integrity hashes back to SHA1 in package-lock.json #450

Ionaru opened this issue Nov 8, 2019 · 5 comments
Labels
Bug thing that needs fixing Release 6.x work is associated with a specific npm 6 release

Comments

@Ionaru
Copy link

Ionaru commented Nov 8, 2019
edited
Loading

What / Why

When running npm install, the integrity hashes in package-lock.json change to SHA1 hashes instead of SHA512.

When

  • When running npm install

Where

  • n/a

How

Current Behavior

  • Some hashes are changed to a SHA1 format.
    image

Steps to Reproduce

  • Update npm to 6.13.0
  • Run npm install

Expected Behavior

  • Hashes should be in SHA512 format.

Who

  • @Ionaru
  • Multiple people at my workplace.

References
@rommni
Copy link

rommni commented Nov 13, 2019

I confirm the same problem here with the same step, just want to add that the cache clean proposed in some topics on this problem didn't solve anything on my side.

@cburgmer
Copy link

cburgmer commented Jan 9, 2020

Please bump the severity of this issue because of the now known attack against sha-1: https://sha-mbles.github.io/

@darcyclarke darcyclarke added Bug thing that needs fixing Release 6.x work is associated with a specific npm 6 release labels Aug 5, 2020
@soloinovator soloinovator mentioned this issue May 3, 2022
Open
@snyk-bot snyk-bot mentioned this issue May 4, 2022
Open
@NOUIY NOUIY mentioned this issue May 6, 2022
Open
@sraka1
Copy link

sraka1 commented Jul 8, 2022

@darcyclarke why was this closed as completed seeing as this still appears on 6.x?

@ljharb
Copy link
Contributor

ljharb commented Jul 8, 2022

@sraka1 6.x is unsupported except for security issues; only npm latest (8.13 atm) is supported.

@pauleustice
Copy link

This IS a security issue, as seen by the CVE that cburgmer linked to above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Release 6.x work is associated with a specific npm 6 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ljharb @cburgmer @darcyclarke @sraka1 @rommni @pauleustice @Ionaru