The EINTEGRITY cacache error occurs when npm's content-addressable cache detects that a downloaded package's checksum doesn't match the expected hash. This typically results from corrupted cache, hash algorithm mismatches, or network interruptions.
The EINTEGRITY error is npm's way of protecting you from installing tampered or corrupted packages. npm uses the cacache library—a content-addressable cache that stores all downloaded packages with cryptographic checksums (typically SHA-512). When npm retrieves a package, it recalculates the hash and compares it to the expected value. If they don't match, npm rejects installation to prevent deploying potentially compromised code. The error specifically indicates a mismatch between: 1. The hash of the downloaded tarball 2. The hash in your local package-lock.json file 3. The hash from the npm registry This validation happens automatically in npm v5+, which made the cache self-healing but also more strict about integrity.
Run npm's built-in cache verification command:
npm cache verifyThis scans your cache for corrupted entries and removes them without clearing everything. After running this, try npm install again.
If cache verification didn't solve the problem, completely remove all cached data:
npm cache clean --force
npm installThis removes your entire cache (~/.npm/_cacache), so npm will need to re-fetch all packages.
Perform a complete clean reinstall:
rm -rf package-lock.json node_modules
npm cache clean --force
npm installThis regenerates package-lock.json from scratch with fresh integrity hashes.
Version mismatches can cause integrity errors:
npm install -g npm@latest
npm installThis is especially important if package-lock.json was created with a newer npm (SHA-512) but your local npm is older (SHA-1).
EINTEGRITY errors can be triggered by an out-of-sync system clock:
On Linux:
sudo ntpdate -s time.nist.govOn macOS/Windows:
Enable automatic date/time in system settings.
Ensure you're using a reliable npm registry:
npm config get registryIf it's not the official registry, switch to it:
npm config set registry https://registry.npmjs.org/Understanding cacache: npm's local cache (~/.npm/_cacache) uses content-addressing, where packages are stored by their hash. This allows npm to detect corruption—if a file's stored hash doesn't match its content, npm knows it's corrupt.
SHA-1 vs SHA-512: npm v5+ uses SHA-512 by default, but older versions used SHA-1. This causes mismatches when teams mix npm versions. The package-lock.json file stores these integrity strings.
Self-healing cache: The cache should never need clearing for security reasons—npm's design automatically refetches corrupted data. Persistent EINTEGRITY errors may indicate deeper issues: system time skew, ISP packet loss, or corporate proxies modifying traffic.
CI/CD: Ensure all agents use identical Node and npm versions to avoid lock file regeneration.
npm ERR! code E401 npm ERR! 401 Unauthorized - Token has expired
Token has expired - npm authentication failure
npm ERR! code EAI_NODATA npm ERR! errno EAI_NODATA npm ERR! getaddrinfo EAI_NODATA registry.npmjs.org
How to fix "npm ERR! code EAI_NODATA - getaddrinfo EAI_NODATA"
npm ERR! code EMPTYPACKAGE npm ERR! Package contains no files
How to fix 'npm ERR! code EMPTYPACKAGE' - Package contains no files
npm ERR! code EWORKSPACEMISSING npm ERR! Workspace does not exist: packages/missing
How to fix "npm ERR! code EWORKSPACEMISSING - Workspace does not exist" error
npm ERR! code EADDRNOTAVAIL npm ERR! errno EADDRNOTAVAIL npm ERR! Address not available
How to fix "npm ERR! code EADDRNOTAVAIL - Address not available" error