Yarn v1 lockfiles contain an integrity checksum that can be validated against the checksum in the npm registry or yarn registry.
accepts@~1.1.0:
version "1.1.4"
resolved "https://registry.yarnpkg.com/accepts/-/accepts-1.1.4.tgz#d71c96f7d41d0feda2c38cd14e8a27c04158df4a"
integrity sha512-8EKM6XlFgqSpDcxkT9yxCT8nDSWEVBD0UjgUWMCWh5kH9VU+ar2MhmDDYGxohXujPU8PPz88ukpkvfXFVWygHw==
dependencies:
mime-types "~2.0.4"
negotiator "0.4.9"
sha512-8EKM6XlFgqSpDcxkT9yxCT8nDSWEVBD0UjgUWMCWh5kH9VU+ar2MhmDDYGxohXujPU8PPz88ukpkvfXFVWyg can then be simply compared to the checksum stored in the npm/yarn registry:
https://registry.npmjs.org/accepts/1.1.4
1.1.4": {
"name": "accepts",
"version": "1.1.4",
"dist": {
"integrity": "sha512-8EKM6XlFgqSpDcxkT9yxCT8nDSWEVBD0UjgUWMCWh5kH9VU+ar2MhmDDYGxohXujPU8PPz88ukpkvfXFVWygHw==",
}
}
However in yarn v2+ lockfiles these checksums changed, and I cannot find any documentation on what this new checksum is nor on how to verify it against the one stored in the npm or yarn registry API. (https://registry.npmjs.org/) or (https://registry.yarnpkg.com/)
"accepts@npm:~1.1.0":
version: 1.1.4
resolution: "accepts@npm:1.1.4"
dependencies:
mime-types: ~2.0.4
negotiator: 0.4.9
checksum: 0c9d4ae055460b30f30606266cbb8700fcb4ad07cc7c2f16fb852cf541c31f32706c35178e89c27f8c05323d1f5764918a85197ae5d609ad556409bbf868c9f2
I want to know what kind of checksum this is (0c9d4ae055460b30f30606266cbb8700fcb4ad07cc7c2f16fb852cf541c31f32706c35178e89c27f8c05323d1f5764918a85197ae5d609ad556409bbf868c9f2) and if its compatible, in terms of verifying the integrity, with the one stored in the npm/yarn registry as shown above.
You can calculate the checksum by downloading the tgz and running the following command
curl 'https://registry.yarnpkg.com/accepts/-/accepts-1.1.4.tgz#d71c96f7d41d0feda2c38cd14e8a27c04158df4a' | openssl dgst -sha512 -binary | openssl base64 -A
this gives you
8EKM6XlFgqSpDcxkT9yxCT8nDSWEVBD0UjgUWMCWh5kH9VU+ar2MhmDDYGxohXujPU8PPz88ukpkvfXFVWygHw==