The 'Invalid tar file' error occurs when npm fails to extract a downloaded package because the tar archive is corrupted, incomplete, or in an unrecognized format. This typically happens during npm install when a package download was interrupted or the cache contains damaged files.
The "Invalid tar file" error occurs when npm fails to extract a downloaded package because the tar archive is corrupted, incomplete, or in an unrecognized format. This typically happens during the npm install process when npm downloads a package from the registry, caches it, and attempts to extract it into node_modules. The tar archive may be damaged due to network interruptions, corrupted cache, checksum mismatches, or registry issues. npm uses the tar package internally to handle gzip decompression and archive extraction. When downloading a package, npm performs an integrity check by comparing the downloaded file's SHA-512 hash against the value in package-lock.json. If hashes don't match or the archive header is malformed, extraction fails.
Remove all cached .tar.gz files and corrupt metadata:
npm cache clean --forceThis forces npm to re-download packages fresh on next install. If you prefer verification first, use:
npm cache verifyRemove both package-lock.json and the node_modules directory to eliminate stale references:
rm -rf node_modules package-lock.jsonOn Windows:
rmdir /S /Q node_modules
del package-lock.jsonRun npm install to download all packages fresh and recreate the lock file:
npm installWatch for any tar errors that reappear—they'll help identify which specific package is problematic.
Ensure you're running the latest stable versions:
npm install -g npm@latestUpdate Node.js via https://nodejs.org. Older versions have known tar extraction bugs that have been fixed in recent releases.
Check your internet connection by visiting https://registry.npmjs.org/ in a browser. If behind a corporate proxy or firewall, temporarily disable them to test.
Run with verbose output to see detailed download progress:
npm install --verboseVerify you have sufficient free disk space:
# macOS/Linux
df -h
# Windows
dir C:\Package extraction needs temp space. If low on space, free up disk and retry.
If errors persist, note which specific package fails from verbose output. Try installing just that package:
npm install <package-name>@<version>Report the issue on that package's GitHub repo if it consistently fails.
Chunked encoding bug: Some npm registry proxies and older npm versions (< v7.20) have issues with HTTP chunked-transfer-encoding, causing partial downloads that appear valid but are actually truncated. Upgrading to npm 9.x+ and Node 16+ largely resolves this.
Private registry considerations: Private registries (Verdaccio, npm Enterprise, Artifactory) may serve corrupted tarballs if misconfigured. Test with curl to verify the registry can serve tarballs cleanly.
Caching strategy: npm v5+ uses "smart cache" that self-heals corruption, but aggressive caching across CI/CD environments can preserve corrupted files. Always use npm ci --prefer-offline in CI for more reproducible builds.
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm
npm ERR! code EUSAGE npm ERR! Usage error
How to fix "npm ERR! code EUSAGE" in Node.js projects
npm ERR! code E401 npm ERR! 401 Unauthorized
How to fix "E401 Unauthorized" in npm