Installing sharp-libvips on Linux Fails with Integrity Check Error

[karlhorky]

Possible install-time or require-time problem

When installing sharp@0.30.2 as normal on CI (Render.com), there is an integrity check error with libvips-8.12.2-linux-x64.tar.br (downloaded from GitHub). This has been working as normal for multiple deploys in the last week (with no version changes to sharp or anything else related in the Yarn lockfile).

An integrity check error seems weird - could this be something related to a compromise in GitHub? Just thinking about the numerous hacking attempts that have been going on lately...

• I have read the documentation relating to installation.
• I have ensured that the architecture and platform of Node.js used for npm install is the same as the architecture and platform of Node.js used at runtime.

Are you using the latest version of sharp?

• I am using the latest version of sharp as reported by npm view sharp dist-tags.latest.

If you cannot confirm this, please upgrade to the latest version and try again before opening an issue.

If you are using another package which depends on a version of sharp that is not the latest, please open an issue against that package instead.

Is this a problem with filesystem permissions?

If you are using npm v6 or earlier and installing as a root or sudo user, have you tried with the npm install --unsafe-perm flag?

Not applicable

If you are using npm v7 or later, does the user running npm install own the directory it is run in?

Not applicable

If you are using the ignore-scripts feature of npm, have you tried with the npm install --ignore-scripts=false flag?

Not applicable

What is the complete output of running npm install --verbose sharp?

I've added the output of the Yarn installation command that fails the integrity check

Mar 12 04:47:58 PM  [5/5] Building fresh packages...
Mar 12 04:48:09 PM  error /opt/render/project/node_modules/sharp, /opt/render/project/src/node_modules/sharp: Command failed.
Mar 12 04:48:09 PM  Exit code: 1
Mar 12 04:48:09 PM  Command: (node install/libvips && node install/dll-copy && prebuild-install) || (node install/can-compile && node-gyp rebuild && node install/dll-copy)
Mar 12 04:48:09 PM  Arguments:
Mar 12 04:48:09 PM  Directory: /opt/render/project/node_modules/sharp
Mar 12 04:48:09 PM  Output:
Mar 12 04:48:09 PM  sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 12 04:48:09 PM  sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 12 04:48:09 PM  sharp: Integrity received: sha512-uXR53JMNUBvGLI/MM0LfDFn4saogG4UP+Sq9/1oFUEGTa84sil1bPEM+9iGcl4L+gFNM0omTsLF8yj8n9IPvAw==
Mar 12 04:48:09 PM  sharp: Please see https://sharp.pixelplumbing.com/install for required dependencies
Mar 12 04:48:09 PM  sharp: Installation error: Integrity check failed for linux-x64
Mar 12 04:48:09 PM  info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Mar 12 04:48:13 PM  error Command failed with exit code 1.

What is the output of running npx envinfo --binaries --system --npmPackages=sharp --npmGlobalPackages=sharp?

[karlhorky]

Hm, interesting... as quickly as the error appeared, it is gone again!

I cleared the cache of the system and started a new deploy -- twice! -- and on the second run, it installed without problems.

Wonder if it was a temporary problem (or even temporary breach) at GitHub...

Anyway, seems to be working again. Closing this!

[lovell]

Sounds like a temporary problem between your CI environment and GitHub, hopefully not a breach of either, but the integrity check exists to guard against this kind of problem so it worked as intended.

https://sharp.pixelplumbing.com/install#prebuilt-binaries

A ~7MB tarball containing libvips and its most commonly used dependencies is downloaded via HTTPS, verified via Subresource Integrity and...

[karlhorky]

Interesting, just failed again now, different SHA512... 🤔

Anyway, clearing cache and retrying. I know there's not much that the sharp project itself can do - these safeguards are helping out, which is great.

Mar 13 03:19:41 PM   Output:
Mar 13 03:19:41 PM   sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 13 03:19:41 PM   sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 13 03:19:41 PM   sharp: Integrity received: sha512-8S++NruXPKAZkqNPu9/RUvPfNCFitvOb6a0BZdO3FTwiDN7MmAUiur07UPG2kDSbXoALbhIpvNRbmAimjjCJMA==
Mar 13 03:19:41 PM   sharp: Installation error: Integrity check failed for linux-x64

[lovell]

I guess it's possible that the integrity error could be smothering another error? Perhaps the check should be wrapped in a nextTick() to let any other sync logic that could emit an error run first.

sharp/install/libvips.js

Lines 71 to 73 in e8720c9

	flush: function (done) {
	const digest = `sha512-${hash.digest('base64')}`;
	if (expected !== digest) {

What version of Node.js are you using? There was a fix in 16 that is somewhat related - nodejs/node#34314

[karlhorky]

Ah interesting, yeah Node.js 16.2.0 is the version on the CI system where the failures are.

Another system with 16.13.0 was not failing, so that could really be something. I'll try upgrading the failing system.

Thanks for the tip!

[karlhorky]

Hm... another error after the upgrade to 16.13.0 too (again, a completely different hash):

Mar 16 01:22:06 PM   ==> Detected Node version 16.13.0
...
Mar 16 01:26:46 PM   Output:
Mar 16 01:26:46 PM   sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 16 01:26:46 PM   sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 16 01:26:46 PM   sharp: Integrity received: sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==