title: “integrity in yarn.lock” tags:

• Node.js
• 前端开发 slug: ff193ef7 date: 2020-03-19 23:00:57 summary: “What the integrity field in yarn.lock means, how it’s computed, and why not every package has it.”

When committing code you may notice diffs in yarn.lock adding or removing integrity fields. Here’s a quick rundown of what it is.

Purpose

Ensures resource integrity (package version and content). After Yarn downloads a resource, it compares the computed integrity to the one in the file; if they don’t match, installation fails.

How is integrity computed?

Typically: hash(bytes) → base64‑encode.

Why isn’t it on every package?

In theory, it should be present for every package.

v1.9.4

Reproduced at the time: delete lockfile, run yarn install, some packages still lacked integrity.

v1.22.4

After upgrading, retrying showed every package had integrity.

Conclusion

A version bug — upgrading resolves it.

References

• What is the integrity property inside yarn.lock file?
• Subresource Integrity
• Resource Integrity