This error occurs when npm downloads a package tarball and the calculated integrity hash doesn't match the expected hash stored in package-lock.json. npm cryptographically verifies all downloaded packages to prevent installation of corrupted or tampered packages.
This error occurs when npm downloads a package tarball and the calculated integrity hash (SHA-512) doesn't match the expected hash stored in package-lock.json. npm cryptographically verifies all downloaded packages to prevent installation of corrupted or tampered packages. The extraction process fails because npm detects that the tarball data has been modified, corrupted, or incompletely transmitted since the package-lock.json was created. This is a security feature designed to protect against compromised or corrupted packages. Unlike checksum errors in package-lock.json metadata (which fail before extraction), this error specifically means the tarball file itself is corrupted or modified after download.
Run npm's cache verification tool first as this often detects and fixes corrupted cache entries:
npm cache verifyThis command garbage collects unneeded data and verifies the integrity of cached data. It's the least destructive fix.
If cache verification didn't work, force-clear all cached data:
npm cache clean --force
npm installThis removes all data from the cache directory. The fresh download will generate new integrity hashes.
If the error persists, delete the package-lock.json file and allow npm to regenerate it:
rm package-lock.json
npm installThis forces npm to download all packages fresh and calculate new integrity hashes. Note: this may result in different dependency versions.
For stubborn cases, perform a complete reset:
# Update npm to latest version
npm install -g npm@latest
# Remove node_modules and lock file
rm -rf node_modules package-lock.json
# Clear and verify cache
npm cache clean --force
npm cache verify
# Reinstall from scratch
npm installVerify you're using a reliable registry:
npm config set registry https://registry.npmjs.org/If using a private registry, verify it's not serving corrupted packages. Consider testing with the official registry first to isolate the problem.
Network issues can corrupt downloads, especially through corporate proxies:
# If behind a proxy, configure it:
npm config set proxy http://proxy-server:port
npm config set https-proxy http://proxy-server:portIf using a proxy with SSL inspection, you may need to add a CA certificate. Try switching networks or disabling VPN to test.
Chunked encoding vulnerability: npm versions 7-8 have a known bug where proxies using chunked transfer encoding can corrupt binary tarball data. Updating npm or disabling chunked encoding on the proxy may help.
Private registry considerations: Private npm registries sometimes cache corrupted packages or fail to invalidate cache entries when packages are republished. Clearing both the registry's cache and the local npm cache usually resolves this.
CI/CD environments: These environments often have isolated network paths, proxies, and cached registries. An EINTEGRITY error in CI but not locally suggests a network/proxy difference.
Security implications: While rare, this error could theoretically indicate a compromised registry or man-in-the-middle attack. If this occurs consistently for security-critical packages, verify the package source.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error