EINTEGRITY: npm 5.0 integrity check and modernizr.com dependency - node.js

I've encountered this error when installing deps of my package:
$ npm i
npm ERR! code EINTEGRITY
npm ERR! sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= integrity checksum failed when using sha1: wanted sha1-tU7jWojzuU8MIY2VLAx+BwluNo0= but got sha1-oXYP0kzpbhku0KU+phy353lbBhQ=. (26624 bytes)
npm ERR! A complete log of this run can be found in:
npm ERR! /home/tlenex/.npm/_logs/2017-06-22T10_18_19_773Z-debug.log
the problem is with my Modernizr dependency:
"dependencies": {
"Modernizr": "https://modernizr.com/download?setclasses-flash"
}
is there any way to solve this or ignore this integrity check?
Currently I have to run
npm i https://modernizr.com/download?setclasses-flash
again to get things working, which overrides the "integrity" field for "Modernizr" in my package-lock.json.
This may happen every time there is a change in Modernizr package fetched from this link and my package dependencies need to be reinstalled (for example, each time on CI build)
If there is no other way of solving this? I hope I wont have to place package-lock.json in my .gitignore file :(
More data about my enviroment:
$ npm -v
5.0.3
$ node -v
v6.11.0

Edit package-lock.json , find the one you want to skip in this case the one that its failing
sha1-tU7jWojzuU8MIY2VLAx+BwluNo0
and remove the integrity parameter from it i.e
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"integrity": "sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=",
"dev": true
},
to...
},
"range-parser": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
"dev": true
},
after that run npm install, will check the rest, skip this integrity

The point of the integrity field is to alert you when something has changed, so if you do not want it to exist, you can disable package-lock.json files in your npmrc. Just set package-lock=false
Note: I am the developer of Modernizr, and spoke with the npm-cli team about this issue. The root cause appears to be the change of the SHA type between npm5 and earlier versions. Nuking the node_modules folder will fix it

Find all outdated packages and update theme:
npm outdated -g
sudo npm i -g outDatedPKG
Upgrade npm to lateste version with:
sudo npm i -g npm
Delete package-lock.json file.
Delete _cacache directory in ~/.npm:
npm cache verify
4.1. Every time i get that error, do steps 2 & 3.
If you still get the error, clear npm's cache:
npm cache clean --force

I had this same error and I solved it by :
Deleting package-lock.json
Running "npm install"

I finally resolved this issue.
Our team moved away from URL dependency without SEMVER notation, in this case https://modernizr.com/download?setclasses-flash and used modernizr-loader with webpack. There are also equivalents for gulp and grunt tools available on npm, pick and use one you like the most.
After using them, we finally get rid of returning EINTEGRITY npm error without nuking package-lock.json or node_modules.

Just do two things for the solution
first :
npm cache clean --force
second :
npm i -g npm
and than install what u want

$ rm -rf package-lock.json node_modules
$ npm install --cache /tmp/empty-npm-cache
If this fixes it, clear your global npm cache to fix the corruption.

Related

Unable to fix npm vulnerabilities

I am getting 6 vulnerabilities after running npm audit report:
I tried a solution and overridden the vulnerable versions of a particular package with their latest versions in package.json file like this:
"overrides": {
"nth-check": "2.1.1",
"#svgr/webpack": "6.5.1",
"#svgr/plugin-svgo": "6.5.1",
"svgo": "3.0.1",
"css-select": "5.1.0"
}
Then I updated the npm packages with npm update. But it did not change the result.
Tried another solution by making a resolution object in package.json and specified specific versions of a particular package, and ran it using npx i npm-force-resolutions but it gives this error:
npm ERR! could not determine executable to run.
But I am still unable to fix the npm vulnerabilities. Please help!
You should delete both node_modules and package-lock.json before launching npm install again; this will require more time to install all dependencies, but this will override all the version that are currently installed (it will bring also minor updates in dependencies).
Also, for this vulnerability, you only need to override nth-check. You can see the changes by executing npm list nth-check with and without the override (remember to delete both node_modules and package-lock.json).

How to resolve the setup of the Tailwind CSS with Next.js in Visual Studio Code [duplicate]

I am trying to npm install vue-mapbox mapbox-gl, and I'm getting a dependency tree error.
I'm running Nuxt.js SSR with Vuetify and haven't installed anything related to Mapbox prior to running this install and am getting this error.
38 error code ERESOLVE
39 error ERESOLVE unable to resolve dependency tree
40 error
41 error While resolving: [1mexample[22m#[1m1.0.0[22m
41 error Found: [1mmapbox-gl[22m#[1m1.13.0[22m[2m[22m
41 error [2mnode_modules/mapbox-gl[22m
41 error [1mmapbox-gl[22m#"[1m^1.13.0[22m" from the root project
41 error
41 error Could not resolve dependency:
41 error [35mpeer[39m [1mmapbox-gl[22m#"[1m^0.53.0[22m" from [1mvue-mapbox[22m#[1m0.4.1[22m[2m[22m
41 error [2mnode_modules/vue-mapbox[22m
41 error [1mvue-mapbox[22m#"[1m*[22m" from the root project
41 error
41 error Fix the upstream dependency conflict, or retry
41 error this command with --force, or --legacy-peer-deps
41 error to accept an incorrect (and potentially broken) dependency resolution.
41 error
41 error See /Users/user/.npm/eresolve-report.txt for a full report.
42 verbose exit 1
What's the right way to go about fixing this upstream dependency conflict?
It looks like it's a problem with peer dependencies in the latest version of npm (v7) which is still a beta version.
Try with npm install --legacy-peer-deps. For detailed information check the blog post npm v7 Series - Beta Release! And: SemVer-Major Changes in npm v7.
Use --legacy-peer-deps after npm install. For example, if you want to install Radium, use:
npm install --legacy-peer-deps --save radium
There are two ways:
use npm install --legacy-peer-deps to install, and if this doesn't work use
the force method. Add --force next to npm install: npm install --force
You can follow these commands
First type:
npm config set legacy-peer-deps true
Then type:
npx create-react-app my-app
Your dependency mexample requires mmapbox-gl v1.13.0 and mvue-mapbox requires mmapbox-gl v0.53.0.
NPM doesn't know which version to install, so it gives a warning. You can bypass the errors using -- force or --legacy-peer-deps, but you are ignoring an error, and making unexpected results.
Production Options:
Probably one of your packages is outdated. Upgrading packages and fixing upgrade errors might fix the dependency conflict.
Overriding a dependency manually to avoid the warning and error. You are setting the version to a specific one that you know that works. Usually the newer version.
Example solution with override. Your package.json file will look like this:
{
"name": "my-app",
"version": "0.1.0",
"private": true,
"dependencies": {
"mexample": "^1.2.0",
"vue-mapbox": "*"
},
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test",
"eject": "react-scripts eject"
},
"overrides": {
"mmapbox-gl": "1.13.0"
}
}
The last option is bypassing using either:
--legacy-peer-deps completely ignores all peerDependencies using the newest version without pinning on file package-lock.json
--force forces the use of the newest, pinning all the versions on package-lock.json
Extra: You shouldn't use "*" as a version, because it might update major and break dependencies.
Until npm version 7.19.1, it still had the same issue. After upgrading to version 7.20.3, use command npm install -g npm#latest and npm audit fix. All packages will be fixed without error.
I tried multiple ways, but nothing was working for me. At last I tried this and it worked:
npm config set legacy-peer-deps true
Run this in the project folder and then try to install any package. It might work for you as well.
To solve it, fix the upstream dependency conflict installing NPM packages error
Method 1. Just use --legacy-peer-deps after npm install.
For example, if you want to install Axios, use
npm install --legacy-peer-deps --save axios.
Method 2. Updating npm and 'audit fix'
npm I -g npm#latest
npm audit fix --force
Method 3. Using --force to install packages
npm install axios --force
I was stuck on this issue for long which also makes error from other commands which calls for some install commands that was breaking.
The only solution that works (maybe suppresses the error) is
npm config set legacy-peer-deps true
This will set the configuration of legacy-peer-deps to true
To resolve npm dependencies and conflicts with npm packages, use npm-check-updates.
Almost all answers here suggest using force or legacy-peer-deps. Though this will technically work, please note that this is not recommended by NPM if you can avoid it anymore (source). Some folks may not have a choice, but I was able to resolve my dependency conflicts by deleting node-modules and package-lock.json then manually updating packages to their latest version one at a time until it stopped complaining (packages mentioned in the error messages after running npm i. Not a great or clean solution, but at least my packages are up-to-date and I'm not ignoring errors or using legacy solutions.
A lot of upvotes for using --legacy-peer-deps, but if --force works, I would recommend using that since it still pins many dependency versions while --legacy-peer-deps ignores peer dependencies entirely. See the example below:
npm: When to use --force and --legacy-peer-deps
I started getting this error on Azure DevOps a few days ago. I initially thought it was a glitch on the Azure side, but since it continued, we started looking into it a bit more.
It turns out the agent we are using, windows-2022, was updated a few days ago:
Updating readme file for win22 version 20220607.3 (#5713)
Node and NPM now match the latest Node.js LTS version: 16.15.1 (includes npm 8.11.0)
Downloads
You can view all agents-included software on Microsoft-hosted agents, Software.
After reading on Microsoft Visual Studio Developer Community, they recommend downgrading Node.js using Node.js Tool Installer task like this:
- task: NodeTool#0
inputs:
versionSpec: '16.14.2'
Node.js Tool Installer task
npm install fails in Azure DevOps Hosted Agent
However, we decided that we do not want to downgrade Node.js, so the first step was matching Node.js locally with LTS version 16.15.1 and npm 8.11.0.
When running npm ci, we then got the same error locally.
We tried npm ci --force and we then got this error:
npm ci can only install packages when your package.json and
package-lock.json or npm-shrinkwrap.json are in sync. Please update
your lock file with npm install before continuing.
npm install gave the same error even after node_modules was manually removed, but npm install --force worked, and it generated a new package-lock.json file.
npm ci still failed with the same error, but running npm ci --force worked. We decided to update Azure DevOps .yml to include --force and checked in the new package-lock.json file. After doing this, everything worked like before and we could now update our packages one by one.
delete the package-lock.json file
modify the package.json file, updating the version as indicated by the peer dependency
Add a tilde or caret for allowing install latest version and resolving dependency issues, for example :
~1.0.2 means to install version 1.0.2 or the latest patch version such as 1.0.4.
^1.0.2 means to install version 1.0.2 or the latest minor or patch version such as 1.1.0.
run npm install or npm udpate
I resolved this by adding
steps:
- task: NodeTool#0
inputs:
versionSpec: '12.x'
Nothing here worked for me.
After struggling with this issue for so long, I found a solution that worked.
Apparently I had some packages installed globally.
Listed them with:
npm list -g --depth=0
Then removed the unwanted packages with:
npm uninstall -g <package-name>
Finally I got the problem fixed

npm install changed the package-lock resolved for some packages from registry.npmjs.org to registry.yarnpkg.com

I am using npm 6
❯ npm -v
6.14.11
and the registry is set to
❯ npm config get registry
https://registry.npmjs.org/
❯ cat ~/.npmrc
registry=https://registry.npmjs.org/
removing the package-lock.json(should not be needed) file and running npm install
generates some values that load from yarnpkg registry
example
"deep-is": {
"version": "0.1.3",
"resolved": "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.3.tgz",
"integrity": "sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=",
"dev": true
},
why is that? and why is my registry preference not respected?
I am running npm -v 6.14.15
Perhaps you didn't remove the node_modules folder before doing an install? Apparently the registry value from node_modules will override anything from the package-lock.json.
You should change the registry values inside of the package-lock.json, delete node_modules folder, and then do an npm i.
npm install respects the package-lock. It won't update it unless you're adding/updating a package (which you've done in the past after configuring the new registry, resulting in some entries with the new registry).
If you're interested in updating your package-lock to use the new registry for all deps, see this question.

How to resolve dependencies in a nodejs package

I've downloaded a nodejs project from Github, edited the source to add missing functionality and now I'm trying to compile it into an executable or run it uncompiled (node main.js). In both cases I get messages that it can't find its dependencies.
This is not my normal programming language, so I'm unfamiliar with how node dependencies work.
The dependencies in questions are other node packages. I installed them with npm install -g but that didn't help.
In the package.json file they are described as follows:
"dependencies": {
"#castlelemongrab/ioh": "^0.0.4",
"#castlelemongrab/strr": "^0.0.1",
"bent": "^7.3.6",
"jsDump": "^1.1.0",
"yargs": "^15.3.1"
},
The warning messages specify the dependencies beginning with # as the ones that are missing. Although it's just a warning, the program fails to function and issues the same message when you attempt to use it, so it's effectively an error. I found this Stackoverflow post mentioning that you could define dependencies like this:
"dependencies": {
"public": "git://github.com/user/repo.git#ref",
"private": "git+ssh://git#github.com:user/repo.git#ref"
}
But that didn't seem to have any effect:
Error: Cannot find module '#castlelemongrab/ioh'
How should I resolve it? I tried going into the node_modules directory and git clone-ing the ioh library into the #castlelemongrab folder but that also led to some errors:
npm ERR! code EISGIT
npm ERR! path C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh: Appears to be a git repo or submodule.
npm ERR! git C:\...\node_modules\#castlelemongrab\ioh
npm ERR! git Refusing to remove it. Update manually,
npm ERR! git or move it out of the way first.
Additionally, since I have the production version of this package installed on my system and I don't want to overwrite it, if I change the "name" field in package.json is that an effective and safe way to avoid conflicts?
The solution was to git clone the missing modules into node_modules and then to rm -rf the .git and .gitignore.
Figured this out by trial and error. If anyone has a more complete and informed answer, please feel free to add it.

npm install won't install devDependencies

On windows for some reason when I run npm install it won't install devDependencies. AFAIK it should. If I run npm install --dev devDependencies are installed. I don't understand why npm install doesn't install devDependencies too, but installs only dependencies. What could be the reason? How can I fix it?
Maybe something is wrong with my package.json? It is listed below if it may be helpful:
{
"name": "try-brunch",
"version": "0.1.0",
"private": "true",
"devDependencies": {
"brunch": "^2.0.4",
"cssnano-brunch": "^1.1.5",
"javascript-brunch": "^1.8.0",
"sass-brunch": "^1.9.2",
"uglify-js-brunch": "^1.7.8"
},
"dependencies": {
"jquery": "^2.1.4"
}
}
Check the NPM docs for install
With the --production flag (or when the NODE_ENV environment variable is set to production), npm will not install modules listed in devDependencies."
The --only={prod[uction]|dev[elopment]} argument will cause either only devDependencies or only non-devDependencies to be installed regardless of the NODE_ENV."
Have you tried
npm install --only=dev
If you are worried that your package.json might be incorrect, best thing to do is this. Create a new folder, and run:
npm init --yes
Then:
npm install --save-dev brunch#^2.0.4
npm install --save-dev cssnano-brunch#^1.1.5
npm install --save-dev javascript-brunch#^1.8.0
npm install --save-dev sass-brunch#^1.9.2
npm install --save-dev uglify-js-brunch#^1.7.8
npm install jquery#^2.1.4 --save
And you should be good to go! Otherwise, will keep posting other options.
Check your npm configuration:
npm config list
npm gets its config settings from the command line, environment variables, and npmrc files. So check environment variables, and the npmrc file.
Still failing?
Ok, create a new folder, ideally somewhere else on your filesystem. ie. not in same folder hierarchy. For instance, C:\myNewFolder - the closer to the base C: drive the better.
Then run:
npm init --yes
Now run:
npm install underscore --save
and finally:
npm install mocha --save-dev
Does everything work as expected?
What I am trying to do is understand whether your problem is global, or something local to the previous folder and dependencies.
Check if npm config production value is set to true. If this value is true, it will skip over the dev dependencies.
Run npm config get production
To set it: npm config set -g production false
make sure you don't have env variable NODE_ENV set to 'production'.
If you do, dev dependencies will not be installed without the --dev flag
You can use the short way for installation dependencies only for development as follows:
npm i -D <dependencies-names>
I had a package-lock.json file from an old version of my package.json, I deleted that and then everything installed correctly.
I had a similar problem. npm install --only=dev didn't work, and neither did npm rebuild. Ultimately, I had to delete node_modules and package-lock.json and run npm install again. That fixed it for me.
I have the same issue because I set the NODE_ENV=production while building Docker. Then I add one more npm install --only=dev. Everything works fine. I need the devDependencies for building TypeSciprt modules
RUN npm install
RUN npm install --only=dev
Make sure your package.json is valid...
I had the following error...
npm WARN Invalid name: "blah blah blah"
and that, similarly, caused devDependencies not to be installed.
FYI, changing the package.json "name" to blah-blah-blah fixed it.
As of now you could use:
npm i --also=dev
So the way I got around this was in the command where i would normally run npm install or npm ci, i added NODE_ENV=build, and then NODE_ENV=production after the command, so my entire command came out to:
RUN NODE_ENV=build && npm ci && NODE_ENV=production
So far I haven't had any bad reactions, and my development dependencies which are used for building the application all worked / loaded correctly.
I find this to be a better solution than adding an additional command like npm install --only=dev because it takes less time, and enables me to use the npm ci command, which is faster and specifically designed to be run inside CI tools / build scripts. (See npm-ci documentation for more information on it)
In my case, the problem was that I had the NODE_ENV variable set to production in the same terminal session I ran npm install.
For my build to run properly I was not allowed to change the value of NODE_ENV so I forced npm to install all the dependencies by adding the --production=false flag to it: npm install --production=false as mentioned in the docs.
If you don't need NODE_ENV to be set to production you can simply type export NODE_ENV=development to your terminal to overwrite its value and run npm install again.
Got a similar error after running npm-check-updates -u. Solved it by removing node_modules folder and package-lock.json. After that a new npm install and everything worked.
My exception:
Failed to load parser '#typescript-eslint/parser' declared in
'package.json » eslint-config-react-app#overrides[0]': Cannot find
module '#typescript-eslint/parser'
As #Ale told, we can use npm i -D <some_module_name> or npm i --save-dev <some_module_name> now.
It seems command was changed at some point of node version.
Offical (npm dependencies and devDependencies) says following.
When you add the -D flag, or --save-dev, you are installing it as a development dependency, which adds it to the devDependencies list.

Resources