[BUG] `npm install` changes `integrity` hashes back to SHA1 in package-lock.json

[Ionaru]

What / Why

When running npm install, the integrity hashes in package-lock.json change to SHA1 hashes instead of SHA512.

When

• When running npm install

Where

• n/a

How

Current Behavior

• Some hashes are changed to a SHA1 format.
  

Steps to Reproduce

• Update npm to 6.13.0
• Run npm install

Expected Behavior

• Hashes should be in SHA512 format.

Who

• @Ionaru
• Multiple people at my workplace.

References

• https://stackoverflow.com/questions/47638381/why-did-package-lock-json-change-the-integrity-hash-from-sha1-to-sha512
• npm install - updates "integrity" in package-lock.json npm#17749
• https://npm.community/t/shasum-check-or-integrity-eintegrity-errors/153

[rommni]

I confirm the same problem here with the same step, just want to add that the cache clean proposed in some topics on this problem didn't solve anything on my side.

[cburgmer]

Please bump the severity of this issue because of the now known attack against sha-1: https://sha-mbles.github.io/

[sraka1]

@darcyclarke why was this closed as completed seeing as this still appears on 6.x?

[ljharb]

@sraka1 6.x is unsupported except for security issues; only npm latest (8.13 atm) is supported.

[pauleustice]

This IS a security issue, as seen by the CVE that cburgmer linked to above