From a4fed279832991a094cafcbc1ad7e467b2b0f785 Mon Sep 17 00:00:00 2001
From: Zoltan Kochan <zkochan@users.noreply.github.com>
Date: Fri, 13 Aug 2021 11:08:10 +0300
Subject: [PATCH] fix(npm-resolver): ignore broken shasum in metadata (#3666)

close #3663
---
 .changeset/forty-horses-push.md               |  7 ++++
 packages/npm-resolver/src/index.ts            |  9 +++-
 packages/npm-resolver/test/index.ts           | 41 +++++++++++++++++++
 .../test/meta/broken-integrity.json           | 41 +++++++++++++++++++
 4 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/forty-horses-push.md
 create mode 100644 packages/npm-resolver/test/meta/broken-integrity.json

diff --git a/.changeset/forty-horses-push.md b/.changeset/forty-horses-push.md
new file mode 100644
index 0000000000..dc2f7e6437
--- /dev/null
+++ b/.changeset/forty-horses-push.md
@@ -0,0 +1,7 @@
+---
+"@pnpm/npm-resolver": patch
+---
+
+Do not fail if a package has no shasum in the metadata.
+
+Fail if a package has broken shasum in the metadata.
diff --git a/packages/npm-resolver/src/index.ts b/packages/npm-resolver/src/index.ts
index 0caf69e1c9..8969de2363 100644
--- a/packages/npm-resolver/src/index.ts
+++ b/packages/npm-resolver/src/index.ts
@@ -314,5 +314,12 @@ function getIntegrity (dist: {
   if (dist.integrity) {
     return dist.integrity
   }
-  return ssri.fromHex(dist.shasum, 'sha1').toString()
+  if (!dist.shasum) {
+    return undefined
+  }
+  const integrity = ssri.fromHex(dist.shasum, 'sha1')
+  if (!integrity) {
+    throw new PnpmError('INVALID_TARBALL_INTEGRITY', `Tarball "${dist.tarball}" has invalid shasum specified in its metadata: ${dist.shasum}`)
+  }
+  return integrity.toString()
 }
diff --git a/packages/npm-resolver/test/index.ts b/packages/npm-resolver/test/index.ts
index 94d91d4d28..54644abf95 100644
--- a/packages/npm-resolver/test/index.ts
+++ b/packages/npm-resolver/test/index.ts
@@ -18,6 +18,7 @@ const isPositiveMetaFull = loadJsonFile.sync<any>(path.join(__dirname, 'meta', '
 const isPositiveBrokenMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'is-positive-broken.json'))
 const sindresorhusIsMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'sindresorhus-is.json'))
 const jsonMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'JSON.json'))
+const brokenIntegrity = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'broken-integrity.json'))
 /* eslint-enable @typescript-eslint/no-explicit-any */
 
 const registry = 'https://registry.npmjs.org/'
@@ -1648,3 +1649,43 @@ test('resolve workspace:~', async () => {
   expect(resolveResult!.manifest!.name).toBe('is-positive')
   expect(resolveResult!.manifest!.version).toBe('1.0.0')
 })
+
+test('resolveFromNpm() does not fail if the meta file contains no integrity information', async () => {
+  nock(registry)
+    .get('/is-positive')
+    .reply(200, brokenIntegrity)
+
+  const cacheDir = tempy.directory()
+  const resolve = createResolveFromNpm({
+    cacheDir,
+  })
+  const resolveResult = await resolve({ alias: 'is-positive', pref: '2.0.0' }, {
+    registry,
+  })
+
+  expect(resolveResult!.resolvedVia).toBe('npm-registry')
+  expect(resolveResult!.id).toBe('registry.npmjs.org/is-positive/2.0.0')
+  expect(resolveResult!.latest!.split('.').length).toBe(3)
+  expect(resolveResult!.resolution).toStrictEqual({
+    integrity: undefined,
+    registry,
+    tarball: 'https://registry.npmjs.org/is-positive/-/is-positive-2.0.0.tgz',
+  })
+  expect(resolveResult!.manifest).toBeTruthy()
+  expect(resolveResult!.manifest!.name).toBe('is-positive')
+  expect(resolveResult!.manifest!.version).toBe('2.0.0')
+})
+
+test('resolveFromNpm() fails if the meta file contains invalid shasum', async () => {
+  nock(registry)
+    .get('/is-positive')
+    .reply(200, brokenIntegrity)
+
+  const cacheDir = tempy.directory()
+  const resolve = createResolveFromNpm({
+    cacheDir,
+  })
+  await expect(
+    resolve({ alias: 'is-positive', pref: '1.0.0' }, { registry })
+  ).rejects.toThrow('Tarball "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz" has invalid shasum specified in its metadata: a')
+})
diff --git a/packages/npm-resolver/test/meta/broken-integrity.json b/packages/npm-resolver/test/meta/broken-integrity.json
new file mode 100644
index 0000000000..ab3b2cbb68
--- /dev/null
+++ b/packages/npm-resolver/test/meta/broken-integrity.json
@@ -0,0 +1,41 @@
+{
+  "versions": {
+      "1.0.0": {
+          "name": "is-positive",
+          "version": "1.0.0",
+          "devDependencies": {
+              "ava": "^0.0.4"
+          },
+          "_hasShrinkwrap": false,
+          "directories": {},
+          "dist": {
+              "shasum": "a",
+              "tarball": "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz"
+          },
+          "engines": {
+              "node": ">=0.10.0"
+          }
+      },
+      "2.0.0": {
+          "name": "is-positive",
+          "version": "2.0.0",
+          "devDependencies": {
+              "ava": "^0.0.4"
+          },
+          "_hasShrinkwrap": false,
+          "directories": {},
+          "dist": {
+              "shasum": "",
+              "tarball": "https://registry.npmjs.org/is-positive/-/is-positive-2.0.0.tgz"
+          },
+          "engines": {
+              "node": ">=0.10.0"
+          }
+      }
+  },
+  "name": "is-positive",
+  "dist-tags": {
+      "latest": "1.0.0"
+  },
+  "modified": "2017-08-17T19:26:00.508Z"
+}