npm EINTEGRITY sha512 Mismatch in CI - Fix Tarball Integrity Failures
EINTEGRITY means the sha512 of a downloaded tarball did not match the hash recorded in the lockfile. It is sometimes a real mismatch and sometimes a corrupted or truncated download.
What this error means
npm ci or npm install aborts mid-fetch with code EINTEGRITY, reporting that the computed sha512 of a package does not equal the integrity value in package-lock.json.
npm
npm ERR! code EINTEGRITY
npm ERR! sha512-abc123... integrity checksum failed when using sha512:
npm ERR! wanted sha512-abc123... but got sha512-def456...
npm ERR! (39482 bytes)Common causes
The lockfile integrity hash no longer matches the published tarball
A republished package or a mirror serving a different artifact produces a hash that disagrees with the committed lockfile.
A corrupted cache or a truncated download
A partial transfer or a poisoned ~/.npm cache yields bytes that hash to the wrong value, which is transient and clears on a clean retry.
How to fix it
Clear the cache and retry
- Force-clean the npm cache to drop any corrupted artifact.
- Re-run the install so the tarball is fetched fresh.
Terminal
npm cache clean --force
npm ciRegenerate the lockfile if the hash is genuinely stale
- Delete package-lock.json and node_modules.
- Run npm install to recompute integrity hashes.
- Commit the refreshed lockfile.
Terminal
rm -rf node_modules package-lock.json
npm installHow to prevent it
- Pin a trusted registry, cache ~/.npm keyed on the lockfile, and keep the lockfile in sync. On self-healing managed runners like Latchkey, a transient corrupted-download EINTEGRITY is auto-retried and the registry is cached, so it usually clears without a manual re-run.