fix(integrity): stop defaulting to sha1 hashes

zkat · Nov 15, 2017 · 62f8cdf · 62f8cdf
1 parent b61851e
commit 62f8cdf
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/lib/finalize-manifest.js b/lib/finalize-manifest.js
@@ -153,7 +153,7 @@ function tarballedProps (pkg, spec, opts) {
       needsShrinkwrap && jsonFromStream('npm-shrinkwrap.json', extracted),
       needsManifest && jsonFromStream('package.json', extracted),
       needsBin && getPaths(extracted),
-      needsHash && ssri.fromStream(tarStream, { algorithms: ['sha1'] }),
+      needsHash && ssri.fromStream(tarStream),
       needsExtract && pipe(tarStream, extracted),
       (sr, mani, paths, hash) => {
         if (needsManifest && !mani) {

diff --git a/test/finalize-manifest.js b/test/finalize-manifest.js
@@ -145,7 +145,7 @@ test('fills in integrity hash if missing', t => {
     'package.json': base,
     'npm-shrinkwrap.json': sr
   }).then(tarData => {
-    const integrity = ssri.fromData(tarData, {algorithms: ['sha1']}).toString()
+    const integrity = ssri.fromData(tarData, {algorithms: ['sha512']}).toString()
     tnock(t, OPTS.registry).get('/' + tarballPath).reply(200, tarData)
     return finalizeManifest(base, {
       name: base.name,
@@ -253,7 +253,7 @@ test('uses package.json as base if passed null', t => {
         peerDependencies: {},
         _resolved: OPTS.registry + tarballPath,
         deprecated: false,
-        _integrity: ssri.fromData(tarData, {algorithms: ['sha1']}).toString(),
+        _integrity: ssri.fromData(tarData, {algorithms: ['sha512']}).toString(),
         _shasum: null, // shasums are only when provided
         _shrinkwrap: sr,
         bin: { 'x': path.join('foo', 'x') },