yarn "Integrity check failed" / checksum mismatch - Fix in CI
yarn records a checksum for every resolved package in yarn.lock and verifies it on install. A mismatch means the fetched bytes differ from what the lockfile expects - typically a corrupted cache or mirror, not tampering.
What this error means
yarn install fails with "Integrity check failed" (or a checksum-mismatch message in Berry) for a specific package. A clean cache and re-fetch usually fixes it, indicating corruption rather than a wrong lockfile.
error https://registry.yarnpkg.com/.../pkg.tgz:
Integrity check failed for "pkg" (computed integrity doesn't match
our records, got "sha512-ABC..." expected "sha512-XYZ...")Common causes
Corrupted yarn cache or download
A damaged tarball in the yarn cache, or a truncated fetch from a mirror, hashes differently from the lockfile’s recorded checksum.
A mirror serving different bytes
A proxy/mirror that returns a re-packaged or differing tarball than the canonical registry breaks the integrity check.
How to fix it
Clean the cache and reinstall
Force a fresh fetch so the cached bad tarball is discarded.
yarn cache clean
rm -rf node_modules
yarn install --immutableRule out a bad mirror
- Re-run the job - a transient corrupted fetch usually recovers.
- Point at the canonical registry to confirm the mirror is the culprit.
- Regenerate yarn.lock only if you have confirmed the published bytes legitimately changed.
How to prevent it
- Bust the yarn cache when integrity errors recur.
- Prefer a reliable registry/mirror in CI.
- Keep yarn.lock committed and stable.