shrinkwrap: update packageIntegrity for spec compliance

author: Kat Marchán <kzm@sykosomatic.org> 2017-05-17 03:11:49 +0300
committer: Rebecca Turner <me@re-becca.org> 2017-05-26 04:55:23 +0300
commit: 317ae92913781539d9feeb84a9ac487d355cb60c (patch)
tree: 07199afd6e8366213d4d56cfd1b518b723cee5ab /lib
parent: 932888fc6977412a4be0117b6681334f6a3cd44b (diff)
3 files changed, 26 insertions, 6 deletions
diff --git a/lib/install/read-shrinkwrap.js b/lib/install/read-shrinkwrap.js
index 5a6e4a85a..913c30348 100644
--- a/lib/install/read-shrinkwrap.js
+++ b/lib/install/read-shrinkwrap.js
@@ -9,7 +9,7 @@ const log = require('npmlog')
 const parseJSON = require('../utils/parse-json.js')
 const path = require('path')
 const PKGLOCK_VERSION = require('../npm.js').lockfileVersion
-const ssri = require('ssri')
+const pkgSri = require('../utils/package-integrity.js')
 
 const readFileAsync = BB.promisify(fs.readFile)
 
@@ -38,7 +38,7 @@ function readShrinkwrap (child, next) {
         pkgJson &&
         parsed &&
         parsed.packageIntegrity &&
-        !ssri.checkData(pkgJson, parsed.packageIntegrity)
+        !pkgSri.check(JSON.parse(pkgJson), parsed.packageIntegrity)
       ) {
         log.info('read-shrinkwrap', `${name} will be updated because package.json does not match what it was generated against.`)
       }
diff --git a/lib/shrinkwrap.js b/lib/shrinkwrap.js
index 77deb1958..82023c6ab 100644
--- a/lib/shrinkwrap.js
+++ b/lib/shrinkwrap.js
@@ -19,6 +19,7 @@ const move = require('move-concurrently')
 const npm = require('./npm.js')
 const packageId = require('./utils/package-id.js')
 const path = require('path')
+const pkgSri = require('./utils/package-integrity.js')
 const readPackageTree = BB.promisify(require('read-package-tree'))
 const ssri = require('ssri')
 const validate = require('aproba')
@@ -230,9 +231,7 @@ function updateLockfileMetadata (pkginfo, pkgJson) {
   function writeMetainfo (pkginfo) {
     pkginfo.createdWith = `npm@${npm.version}`
     pkginfo.lockfileVersion = PKGLOCK_VERSION
-    pkginfo.packageIntegrity = pkgJson && ssri.fromData(pkgJson, {
-      algorithms: ['sha512']
-    }).toString()
+    pkginfo.packageIntegrity = pkgJson && pkgSri.hash(pkgJson)
     metainfoWritten = true
   }
   return newPkg
@@ -245,7 +244,7 @@ function checkPackageFile (dir, name) {
   ).then((data) => {
     return {
       path: file,
-      data,
+      data: JSON.parse(data),
       indent: detectIndent(data).indent || 2
     }
   }).catch({code: 'ENOENT'}, () => {})
diff --git a/lib/utils/package-integrity.js b/lib/utils/package-integrity.js
new file mode 100644
index 000000000..f9560d660
--- /dev/null
+++ b/lib/utils/package-integrity.js
@@ -0,0 +1,21 @@
+'use strict'
+
+// Utilities for generating and verifying the packageIntegrity field for
+// package-lock
+//
+// Spec: https://github.com/npm/npm/pull/16441
+
+const ssri = require('ssri')
+const SSRI_OPTS = {
+  algorithms: ['sha512']
+}
+
+module.exports.check = check
+function check (pkg, integrity) {
+  return ssri.checkData(JSON.stringify(pkg), integrity, SSRI_OPTS)
+}
+
+module.exports.hash = hash
+function hash (pkg) {
+  return ssri.fromData(JSON.stringify(pkg), SSRI_OPTS).toString()
+}
author	Kat Marchán <kzm@sykosomatic.org>	2017-05-17 03:11:49 +0300
committer	Rebecca Turner <me@re-becca.org>	2017-05-26 04:55:23 +0300
commit	317ae92913781539d9feeb84a9ac487d355cb60c (patch)
tree	07199afd6e8366213d4d56cfd1b518b723cee5ab /lib
parent	932888fc6977412a4be0117b6681334f6a3cd44b (diff)