npm EINTEGRITY "sha512 … integrity checksum failed" - Fix in CI
EINTEGRITY means a downloaded package tarball did not hash to the integrity value npm expected. Usually it is a corrupted download or stale cache, not a tampered package - but it is worth confirming.
What this error means
npm ci/npm install fails mid-download for a specific package, reporting that the sha512 integrity checksum did not match. A clean re-run on a fresh cache often succeeds, which points at a corrupted fetch rather than a bad lockfile.
npm error code EINTEGRITY
npm error sha512-XYZ... integrity checksum failed when using sha512:
npm error wanted sha512-XYZ... but got sha512-ABC...
npm error (12345 bytes)Common causes
Corrupted download or a flaky mirror
A truncated or mangled tarball from a proxy, mirror, or transient network glitch hashes differently from the recorded integrity, so npm rejects it.
A poisoned or stale local/CI cache
A bad tarball cached in ~/.npm (or a restored CI cache) is replayed on every run, so the same integrity error repeats until the cache entry is cleared.
The lockfile integrity no longer matches a republished version
If a registry served different bytes for a version than the lockfile recorded, the hashes diverge. This is rare on npmjs.org but possible behind a custom registry.
How to fix it
Clear the cache and reinstall
Force-clean the npm cache so the bad tarball is re-fetched fresh.
npm cache clean --force
rm -rf node_modules
npm ciRetry past a flaky mirror
- Re-run the job - a corrupted fetch usually succeeds on retry.
- Raise npm fetch retries so a single bad download self-recovers.
- If it persists for one package, point at the canonical registry to rule out a bad mirror.
How to prevent it
- Cache ~/.npm keyed on the lockfile, and bust it if EINTEGRITY recurs.
- Prefer a reliable registry/mirror for high-volume pipelines.
- Commit a clean lockfile so integrity values are stable.