This error occurs when npm downloads a package tarball and the calculated integrity hash doesn't match the expected hash stored in package-lock.json. npm cryptographically verifies all downloaded packages to prevent installation of corrupted or tampered packages.
This error occurs when npm downloads a package tarball and the calculated integrity hash (SHA-512) doesn't match the expected hash stored in package-lock.json. npm cryptographically verifies all downloaded packages to prevent installation of corrupted or tampered packages. The extraction process fails because npm detects that the tarball data has been modified, corrupted, or incompletely transmitted since the package-lock.json was created. This is a security feature designed to protect against compromised or corrupted packages. Unlike checksum errors in package-lock.json metadata (which fail before extraction), this error specifically means the tarball file itself is corrupted or modified after download.
Run npm's cache verification tool first as this often detects and fixes corrupted cache entries:
npm cache verifyThis command garbage collects unneeded data and verifies the integrity of cached data. It's the least destructive fix.
If cache verification didn't work, force-clear all cached data:
npm cache clean --force
npm installThis removes all data from the cache directory. The fresh download will generate new integrity hashes.
If the error persists, delete the package-lock.json file and allow npm to regenerate it:
rm package-lock.json
npm installThis forces npm to download all packages fresh and calculate new integrity hashes. Note: this may result in different dependency versions.
For stubborn cases, perform a complete reset:
# Update npm to latest version
npm install -g npm@latest
# Remove node_modules and lock file
rm -rf node_modules package-lock.json
# Clear and verify cache
npm cache clean --force
npm cache verify
# Reinstall from scratch
npm installVerify you're using a reliable registry:
npm config set registry https://registry.npmjs.org/If using a private registry, verify it's not serving corrupted packages. Consider testing with the official registry first to isolate the problem.
Network issues can corrupt downloads, especially through corporate proxies:
# If behind a proxy, configure it:
npm config set proxy http://proxy-server:port
npm config set https-proxy http://proxy-server:portIf using a proxy with SSL inspection, you may need to add a CA certificate. Try switching networks or disabling VPN to test.
Chunked encoding vulnerability: npm versions 7-8 have a known bug where proxies using chunked transfer encoding can corrupt binary tarball data. Updating npm or disabling chunked encoding on the proxy may help.
Private registry considerations: Private npm registries sometimes cache corrupted packages or fail to invalidate cache entries when packages are republished. Clearing both the registry's cache and the local npm cache usually resolves this.
CI/CD environments: These environments often have isolated network paths, proxies, and cached registries. An EINTEGRITY error in CI but not locally suggests a network/proxy difference.
Security implications: While rare, this error could theoretically indicate a compromised registry or man-in-the-middle attack. If this occurs consistently for security-critical packages, verify the package source.
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm
npm ERR! code EUSAGE npm ERR! Usage error
How to fix "npm ERR! code EUSAGE" in Node.js projects
npm ERR! code E401 npm ERR! 401 Unauthorized
How to fix "E401 Unauthorized" in npm