fix: fallback to shasum when integrity is not defined (#542)

Some npm registries do not define an `integrity` field, in which case
we can try using the `shasum` field instead.

Author: aduh95

sources/npmRegistryUtils.ts

@@ -62,7 +62,7 @@ export function verifySignature({signatures, integrity, packageName, version}: {
 export async function fetchLatestStableVersion(packageName: string) {
   const metadata = await fetchAsJson(packageName, `latest`);
 
-  const {version, dist: {integrity, signatures}} = metadata;
+  const {version, dist: {integrity, signatures, shasum}} = metadata;
 
   if (!shouldSkipIntegrityCheck()) {
     verifySignature({
@@ -71,7 +71,11 @@ export async function fetchLatestStableVersion(packageName: string) {
     });
   }
 
-  return `${version}+sha512.${Buffer.from(integrity.slice(7), `base64`).toString(`hex`)}`;
+  return `${version}+${
+    integrity ?
+      `sha512.${Buffer.from(integrity.slice(7), `base64`).toString(`hex`)}` :
+      `sha1.${shasum}`
+  }`;
 }
 
 export async function fetchAvailableTags(packageName: string) {

tests/_registryServer.mjs

@@ -87,7 +87,7 @@ const registry = {
 function generateSignature(packageName, version) {
   if (privateKey == null) return undefined;
   const sign = createSign(`SHA256`).end(`${packageName}@${version}:${integrity}`);
-  return {signatures: [{
+  return {integrity, signatures: [{
     keyid,
     sig: sign.sign(privateKey, `base64`),
   }]};
@@ -100,10 +100,8 @@ function generateVersionMetadata(packageName, version) {
       [packageName]: `./bin/${packageName}.js`,
     },
     dist: {
-      integrity,
       shasum,
       size: mockPackageTarGz.length,
-      noattachment: false,
       tarball: `https://registry.npmjs.org/${packageName}/-/${packageName}-${version}.tgz`,
       ...generateSignature(packageName, version),
     },

tests/main.test.ts

@@ -887,6 +887,30 @@ it(`should download yarn berry from custom registry`, async () => {
   });
 });
 
+it(`should download latest pnpm from custom registry`, async () => {
+  await xfs.mktempPromise(async cwd => {
+    process.env.AUTH_TYPE = `COREPACK_NPM_TOKEN`; // See `_registryServer.mjs`
+    process.env.COREPACK_DEFAULT_TO_LATEST = `1`;
+    process.env.COREPACK_INTEGRITY_KEYS = `0`;
+
+    await xfs.writeJsonPromise(ppath.join(cwd, `package.json` as Filename), {
+    });
+
+    await expect(runCli(cwd, [`pnpm`, `--version`], true)).resolves.toMatchObject({
+      exitCode: 0,
+      stdout: `pnpm: Hello from custom registry\n`,
+      stderr: /^! The local project doesn't define a 'packageManager' field\. Corepack will now add one referencing pnpm@1\.9998\.9999@sha1\./,
+    });
+
+    // Should keep working with cache
+    await expect(runCli(cwd, [`pnpm`, `--version`])).resolves.toMatchObject({
+      exitCode: 0,
+      stdout: `pnpm: Hello from custom registry\n`,
+      stderr: ``,
+    });
+  });
+});
+
 for (const authType of [`COREPACK_NPM_REGISTRY`, `COREPACK_NPM_TOKEN`, `COREPACK_NPM_PASSWORD`, `PROXY`]) {
   describe(`custom registry with auth ${authType}`, () => {
     beforeEach(() => {