Skip to content
Latchkey

npm EINTEGRITY sha512 Mismatch in CI - Fix Tarball Integrity Failures

EINTEGRITY means the sha512 of a downloaded tarball did not match the hash recorded in the lockfile. It is sometimes a real mismatch and sometimes a corrupted or truncated download.

What this error means

npm ci or npm install aborts mid-fetch with code EINTEGRITY, reporting that the computed sha512 of a package does not equal the integrity value in package-lock.json.

npm
npm ERR! code EINTEGRITY
npm ERR! sha512-abc123... integrity checksum failed when using sha512:
npm ERR! wanted sha512-abc123... but got sha512-def456...
npm ERR! (39482 bytes)

Common causes

The lockfile integrity hash no longer matches the published tarball

A republished package or a mirror serving a different artifact produces a hash that disagrees with the committed lockfile.

A corrupted cache or a truncated download

A partial transfer or a poisoned ~/.npm cache yields bytes that hash to the wrong value, which is transient and clears on a clean retry.

How to fix it

Clear the cache and retry

  1. Force-clean the npm cache to drop any corrupted artifact.
  2. Re-run the install so the tarball is fetched fresh.
Terminal
npm cache clean --force
npm ci

Regenerate the lockfile if the hash is genuinely stale

  1. Delete package-lock.json and node_modules.
  2. Run npm install to recompute integrity hashes.
  3. Commit the refreshed lockfile.
Terminal
rm -rf node_modules package-lock.json
npm install

How to prevent it

  • Pin a trusted registry, cache ~/.npm keyed on the lockfile, and keep the lockfile in sync. On self-healing managed runners like Latchkey, a transient corrupted-download EINTEGRITY is auto-retried and the registry is cached, so it usually clears without a manual re-run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →