feat: COREPACK_INTEGRITY_KEYS should support 0 and false values t…

…o disable integrity checks (nodejs#468)

README.md

@@ -296,8 +296,9 @@ same major line. Should you need to upgrade to a new major, use an explicit
 - `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` are supported through
   [`node-proxy-agent`](https://github.com/TooTallNate/node-proxy-agent).
 
-- `COREPACK_INTEGRITY_KEYS` can be set to an empty string to instruct Corepack
-  to skip integrity checks, or a JSON string containing custom keys.
+- `COREPACK_INTEGRITY_KEYS` can be set to an empty string, `0`, or `false` to
+  instruct Corepack to skip integrity checks, or to a JSON string containing
+  custom keys.
 
 ## Troubleshooting
 

sources/corepackUtils.ts

@@ -283,7 +283,7 @@ export async function installVersion(installTarget: string, locator: Locator, {s
 
   if (!build[1]) {
     const registry = getRegistryFromPackageManagerSpec(spec);
-    if (registry.type === `npm` && !registry.bin && process.env.COREPACK_INTEGRITY_KEYS !== ``) {
+    if (registry.type === `npm` && !registry.bin && !shouldSkipIntegrityCheck()) {
       if (signatures! == null || integrity! == null)
         ({signatures, integrity} = (await npmRegistryUtils.fetchTarballURLAndSignature(registry.package, version)));
 
@@ -432,3 +432,9 @@ export async function runVersion(locator: Locator, installSpec: InstallSpec & {s
   // the stack trace of the package manager.
   process.nextTick(Module.runMain, binPath);
 }
+
+export function shouldSkipIntegrityCheck() {
+  return [``, `0`, `false`].includes(
+    process.env.COREPACK_INTEGRITY_KEYS?.toLowerCase().trim()
+  );
+}

sources/npmRegistryUtils.ts

@@ -4,6 +4,7 @@ import {createVerify} from 'crypto';
 import defaultConfig  from '../config.json';
 
 import * as httpUtils from './httpUtils';
+import { shouldSkipIntegrityCheck } from './corepackUtils';
 
 // load abbreviated metadata as that's all we need for these calls
 // see: https://github.com/npm/registry/blob/cfe04736f34db9274a780184d1cdb2fb3e4ead2a/docs/responses/package-metadata.md
@@ -63,7 +64,7 @@ export async function fetchLatestStableVersion(packageName: string) {
 
   const {version, dist: {integrity, signatures}} = metadata;
 
-  if (process.env.COREPACK_INTEGRITY_KEYS !== ``) {
+  if (!shouldSkipIntegrityCheck()) {
     verifySignature({
       packageName, version,
       integrity, signatures,

tests/corepackUtils.test.ts

@@ -0,0 +1,40 @@
+import { describe, it, expect } from "@jest/globals";
+
+import { shouldSkipIntegrityCheck } from "../sources/corepackUtils";
+
+describe(`corepack utils shouldSkipIntegrityCheck`, () => {
+  it(`should return false if COREPACK_INTEGRITY_KEYS env is not set`, () => {
+    delete process.env.COREPACK_INTEGRITY_KEYS;
+    expect(shouldSkipIntegrityCheck()).toBe(false);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to 0`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = `0`;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to false`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = `false`;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to FALSE`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = `FALSE`;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to an empty string`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = ``;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return true if COREPACK_INTEGRITY_KEYS env is set to a string with leading spaces`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = ` false `;
+    expect(shouldSkipIntegrityCheck()).toBe(true);
+  });
+
+  it(`should return false if COREPACK_INTEGRITY_KEYS env is set to any other value`, () => {
+    process.env.COREPACK_INTEGRITY_KEYS = JSON.stringify({ foo: `bar` });
+    expect(shouldSkipIntegrityCheck()).toBe(false);
+  });
+});