In our current repo, we've committed yarn's cache to version control. We do this to decouple our CI from npm. I recently installed our repo dependencies with a different version of node and this caused a diff for some of our packages.
Instead of: esbuild-darwin-64-npm-0.13.9.zip we got esbuild-darwin-arm64-npm-0.13.9.zip without our yarn.lock file changing.
For this, I received some feedback that we don't have a checksum or integrity check for these new dependencies.
My problem here, is that I don't exactly know what happened here and how it relates to different versions of node. My basic understanding is that peer dependencies are pinned in .lock files and that every users who installs repo dependencies should get the same dependencies (peer included).
The dependencies above look like binaries for different processor architectures but I don't yet understand the link between .lock files binaries and cpu arch.
Can someone explain this to me and why it would be problematic not to have checksums here? I'd also love to know how this can be caused by different node versions.
Thanks!
