How to upgrade integrity from sha1 to sha512？

[shalldie]

In my case, [email protected]，monorepo，shared-workspace-lockfile=false

The pnpm lockfiles contain both sha1 and sha512 integrity hashes, which often leads to conflicts when installing a certain application package (sha512) with other applications (sha1)

Some error may appear: ENOENT: no such file or directory, open '......-index.json'

How to upgrade all integrity field from sha1 to sha512 in each lockfile without changing version ?

---

Edit:

- monorepo (.npmrc => shared-workspace-lockfile=false)
    - package-1
        - npm-pkg@v1 (pnpm-lock.yaml => integrity: sha1)
    - package-2
        - npm-pkg@v1 (pnpm-lock.yaml => integrity: sha512)

There are differences in the integrity of the same version of the npm pkg across different packages.

[btea]

Perhaps this is what you want? https://pnpm.io/cli/install#--lockfile-only

[shalldie]

There are differences in the integrity of the same version of the npm pkg across different packages, --lockfile-only will not fix it.

[btea]

What could be causing this? I temporarily set up a similar repository, and the installation seems to be working correctly.

Incidentally, if the same dependency is used in different packages, it is recommended to use the catalog protocol.

[shalldie]

就直接中文了哈，
这问题存在有几年了，至今有大量类似issue open，下面是我几次遇到的场景以及猜测：

1. [email protected] 是一个发布比较早的包
2. package-a 中使用了 [email protected]，此时integrity为 sha1
3. 有一天在 package-b 下间接install了 [email protected]，integrity 很可能是 sha512
   • integrity 一般是从 registry 获取，而 pnpm 不会去更新其它package的lock
   • 此时本地缓存同时存在 sha1、sha512 的文件
4. 当换台机器 install时候，对于 [email protected] pnpm 只会下载一次，缓存为 sha1-xxx-index.json
   • 对于 package-b 则无法找到该缓存： ENOENT: no such file or directory, open '......-index.json'

我在 pnpm9、10 都遇到过这个问题，这是 pnpm9 时候提过的一个issue #8428 ，里面的仓库可以本地复现
目前总结的解决办法就是，，，找到不统一的 integrity 依次手动修复

---

This issue has been around for several years, and there are still numerous similar issues open to this day. Below are the scenarios I encountered several times and my guesses:

1. [email protected] is an older released package
2. package-a uses [email protected], with integrity set to sha1
3. One day, [email protected] was indirectly installed under package-b, and the integrity is likely to be sha512
   • Integrity is typically obtained from the registry, and pnpm does not update the locks of other packages
   • Currently, both sha1 and sha512 files exist in the local cache
4. When installing on a different machine, [email protected] pnpm will only be downloaded once and cached as sha1-xxx-index.json
   • For package-b, the cache cannot be found: ENOENT: no such file or directory, open '......-index.json'

I encountered this issue on both pnpm9 and pnpm10. This is an issue #8428 mentioned during pnpm9, and the repository mentioned in it can be reproduced locally
The currently summarized solution is to manually repair the inconsistent integrity one by one

[btea]

我尝试了多个版本，发现在10.14.0之后安装不会报错，不过我也没看懂为什么。 🤔