yarnpkg · arcanis · Oct 2, 2019 · Oct 2, 2019 · Oct 2, 2019 · Oct 2, 2019
diff --git a/.../corrupted-meta-empty/.yarn-metadata.json → .../corrupted-meta-empty/.yarn-metadata.json b/.../corrupted-meta-empty/.yarn-metadata.json → .../corrupted-meta-empty/.yarn-metadata.json
diff --git a/...ules/corrupted-meta-not-existing/.gitkeep → ...ules/corrupted-meta-not-existing/.gitkeep b/...ules/corrupted-meta-not-existing/.gitkeep → ...ules/corrupted-meta-not-existing/.gitkeep
diff --git a/...s/corrupted-meta-typo/.yarn-metadata.json → ...s/corrupted-meta-typo/.yarn-metadata.json b/...s/corrupted-meta-typo/.yarn-metadata.json → ...s/corrupted-meta-typo/.yarn-metadata.json
diff --git a/...ood/node_modules/good/.yarn-metadata.json → ...ood/node_modules/good/.yarn-metadata.json b/...ood/node_modules/good/.yarn-metadata.json → ...ood/node_modules/good/.yarn-metadata.json
diff --git a/src/constants.js b/src/constants.js
@@ -28,7 +28,7 @@ export const YARN_INSTALLER_MSI = 'https://yarnpkg.com/latest.msi';
 export const SELF_UPDATE_VERSION_URL = 'https://yarnpkg.com/latest-version';
 
 // cache version, bump whenever we make backwards incompatible changes
-export const CACHE_VERSION = 5;
+export const CACHE_VERSION = 6;
 
 // lockfile version, bump whenever we make backwards incompatible changes
 export const LOCKFILE_VERSION = 1;

diff --git a/src/fetchers/tarball-fetcher.js b/src/fetchers/tarball-fetcher.js
@@ -166,9 +166,11 @@ export default class TarballFetcher extends BaseFetcher {
         this.remote.integrity !== this.validateIntegrity.toString()
       ) {
         this.remote.integrity = this.validateIntegrity.toString();
+      } else if (this.validateIntegrity) {
+        this.remote.cacheIntegrity = this.validateIntegrity.toString();
       }
 
-      if (integrityInfo.algorithms.length === 0) {
+      if (integrityInfo.integrity && Object.keys(integrityInfo.integrity).length === 0) {
         return reject(
           new SecurityError(
             this.config.reporter.lang('fetchBadIntegrityAlgorithm', this.packageName, this.remote.reference),
@@ -350,7 +352,7 @@ export default class TarballFetcher extends BaseFetcher {
       return {integrity: null, algorithms};
     }
 
-    const algorithms = new Set();
+    const algorithms = new Set(['sha512']);
     const integrity = {};
     for (const algorithm of expectedIntegrityAlgorithms) {
       if (isHashAlgorithmSupported(algorithm)) {

diff --git a/src/package-fetcher.js b/src/package-fetcher.js
@@ -20,15 +20,18 @@ async function fetchCache(
   // $FlowFixMe: This error doesn't make sense
   const {hash, package: pkg, remote: cacheRemote} = await config.readPackageMetadata(dest);
 
+  const cacheIntegrity = cacheRemote.cacheIntegrity || cacheRemote.integrity;
+  const cacheHash = cacheRemote.hash;
+
   if (remote.integrity) {
-    if (!cacheRemote.integrity || !ssri.parse(remote.integrity).match(cacheRemote.integrity)) {
+    if (!cacheIntegrity || !ssri.parse(cacheIntegrity).match(remote.integrity)) {
       // eslint-disable-next-line yarn-internal/warn-language
       throw new MessageError('Incorrect integrity when fetching from the cache');
     }
   }
 
   if (remote.hash) {
-    if (!cacheRemote.hash || cacheRemote.hash !== remote.hash) {
+    if (!cacheHash || cacheHash !== remote.hash) {
       // eslint-disable-next-line yarn-internal/warn-language
       throw new MessageError('Incorrect integrity when fetching from the cache');
     }

diff --git a/src/types.js b/src/types.js
@@ -56,6 +56,7 @@ export type PackageRemote = {
   resolved?: ?string,
   hash: ?string,
   integrity?: ?string,
+  cacheIntegrity?: ?string,
   packageName?: string,
   registryRemote?: ?PackageRemote,
 };