Skip to content
Latchkey

yarn "Integrity check failed" / checksum mismatch - Fix in CI

yarn records a checksum for every resolved package in yarn.lock and verifies it on install. A mismatch means the fetched bytes differ from what the lockfile expects - typically a corrupted cache or mirror, not tampering.

What this error means

yarn install fails with "Integrity check failed" (or a checksum-mismatch message in Berry) for a specific package. A clean cache and re-fetch usually fixes it, indicating corruption rather than a wrong lockfile.

yarn output
error https://registry.yarnpkg.com/.../pkg.tgz:
Integrity check failed for "pkg" (computed integrity doesn't match
our records, got "sha512-ABC..." expected "sha512-XYZ...")

Common causes

Corrupted yarn cache or download

A damaged tarball in the yarn cache, or a truncated fetch from a mirror, hashes differently from the lockfile’s recorded checksum.

A mirror serving different bytes

A proxy/mirror that returns a re-packaged or differing tarball than the canonical registry breaks the integrity check.

How to fix it

Clean the cache and reinstall

Force a fresh fetch so the cached bad tarball is discarded.

Terminal
yarn cache clean
rm -rf node_modules
yarn install --immutable

Rule out a bad mirror

  1. Re-run the job - a transient corrupted fetch usually recovers.
  2. Point at the canonical registry to confirm the mirror is the culprit.
  3. Regenerate yarn.lock only if you have confirmed the published bytes legitimately changed.

How to prevent it

  • Bust the yarn cache when integrity errors recur.
  • Prefer a reliable registry/mirror in CI.
  • Keep yarn.lock committed and stable.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →