How can I manually validate npm:EINTEGRITY?

Get the expected integrity and tarball URL: `npm view @ dist.integrity dist.tarball`. Download the tarball and compute SHA-512: `curl -L -o pkg.tgz && openssl dgst -sha512 -binary pkg.tgz | openssl base64 -A`. Compare the computed value to the `sha512-...` integrity string. If you have a proxy registry, repeat the same check against the proxy and the upstream registry.

How do I prevent npm:EINTEGRITY in CI?

Prefer deterministic installs (`npm ci`) in CI when you have a lockfile. Use a reliable proxy/cache registry and monitor sync health. Avoid force-publishing or mutating tarballs for an existing version.

RepoFlow | npm ERR! code EINTEGRITY

What This Error Means

npm downloaded a package tarball whose checksum did not match the expected integrity value (lockfile/metadata mismatch).

How to Fix It

Check which registry npm is using: npm config get registry.
If the package is scoped, verify scope registry mapping in .npmrc (example: @your-scope:registry=...).
Verify the npm cache first: npm cache verify (then retry).
If package-lock.json exists, remove node_modules and run npm ci (do not delete the lockfile unless you intend to regenerate it).
If you do not have a lockfile, run npm install to generate one intentionally and commit it (then CI can use npm ci).
If cache verification does not help, force a re-download: npm cache clean --force (then retry).
If using a proxy registry, confirm it is fully synced and not serving mixed metadata/tarballs for the same version.

Why It Happens

The npm cache contains a corrupted tarball (common after interrupted downloads).
A proxy/cache registry served stale metadata or a different tarball for the same version.
Network middleboxes (proxies, antivirus) modified or truncated the tarball download.

How to Verify

Re-run the install and confirm EINTEGRITY no longer appears.
If you are using a proxy registry, verify installs succeed both with and without cache warm state.

Manual checksum validation

Get the expected integrity and tarball URL: npm view <pkg>@<version> dist.integrity dist.tarball.
Download the tarball and compute SHA-512: curl -L <tarball-url> -o pkg.tgz && openssl dgst -sha512 -binary pkg.tgz | openssl base64 -A.
Compare the computed value to the sha512-... integrity string.
If you have a proxy registry, repeat the same check against the proxy and the upstream registry.

Common CLI Output

npm ERR! code EINTEGRITY

npm ERR! sha512-<hash> integrity checksum failed when using sha512: wanted <hash> but got <hash>

How npm verifies package integrity

npm stores expected SRI integrity values in the lockfile and/or registry metadata.
During install, npm downloads the tarball and verifies its checksum before extracting.
If the downloaded bytes do not match the expected checksum, npm throws EINTEGRITY.

Prevention Tips

Prefer deterministic installs (npm ci) in CI when you have a lockfile.
Use a reliable proxy/cache registry and monitor sync health.
Avoid force-publishing or mutating tarballs for an existing version.

Where This Can Be Triggered

github.com/npm/ssri/blob/73adc1554d0b60606a8fb315d47f7afde7fd913e/lib/index.js

Open-source npm dependency code reference tied to this integrity error. - GitHub

      this.emit('error', err)
    } else if (this.sri && !match) {
      const err = new Error(`${this.sri} integrity checksum failed when using ${this.algorithm}: wanted ${this.digests} but got ${newSri}. (${this.size} bytes)`)
      err.code = 'EINTEGRITY'
      err.found = newSri
      err.expected = this.digests
      err.algorithm = this.algorithm