Listed dependencies in package-lock.json file have mixed (sha1 / sha512) integrity checksum.

Question

I understand npm have changed the integrity checksum from sha1 to sha512, But I am confused why few of the dependencies in package-lock json file still show sha1 integrity checksum.

Adding below few lines from the package-lock file, which has sha1 and sha512 mixed. As per my understanding all the sha1 should have been replaced by sha512.

 "assign-symbols": {
  "version": "1.0.0",
  "resolved": "https://registry.npmjs.org/assign-symbols/-/assign-symbols-1.0.0.tgz",
  "integrity": "sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=",
  "dev": true
},
"async": {
  "version": "2.6.1",
  "resolved": "https://registry.npmjs.org/async/-/async-2.6.1.tgz",
  "integrity": "sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==",
  "dev": true,
  "requires": {
    "lodash": "4.17.11"
  }
},
"async-each": {
  "version": "1.0.1",
  "resolved": "https://registry.npmjs.org/async-each/-/async-each-1.0.1.tgz",
  "integrity": "sha1-GdOGodntxufByF04iu28xW0zYC0=",
  "dev": true
},
"atob": {
  "version": "2.1.2",
  "resolved": "https://registry.npmjs.org/atob/-/atob-2.1.2.tgz",
  "integrity": "sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==",
  "dev": true
},
"atob-lite": {
  "version": "1.0.0",
  "resolved": "https://registry.npmjs.org/atob-lite/-/atob-lite-1.0.0.tgz",
  "integrity": "sha1-uI3KYAaSK5YglPdVaCa6sxxKKWs="
},
"autoprefixer": {
  "version": "6.7.7",
  "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-6.7.7.tgz",
  "integrity": "sha1-Hb0cg1ZY41zj+ZhAmdsAWFx4IBQ=",
  "dev": true,
  "requires": {
    "browserslist": "1.7.7",
    "caniuse-db": "1.0.30000888",
    "normalize-range": "0.1.2",
    "num2fraction": "1.2.2",
    "postcss": "5.2.18",
    "postcss-value-parser": "3.3.0"
  }
}

Any reference which would help me understand that will be helpful.

Answer 1

According to this post on the NPM Community Forum, only packages published with npm v5 or later will include an sha512 integrity hash.

If you are on npm v5 or later, and you're seeing this in your package-lock.json, one way to keep everything on sha512 instead of sha1 (according to this post) is to do the following:

1. Remove all sha1 integrity hashes from your package-lock.json
2. Run rm -rf node_modules
3. Run npm cache clean -f
4. Run npm install

This should result in a package-lock.json with the sha512 integrity hashes.