Why did package-lock.json change the integrity hash from sha1 to sha512?

From what I can see, npm changed the integrity checksum from sha1 to sha512.

If your git changes are going from sha1 to sha512, you should do that update once and it will be good after that.

If someone else working with the codebase and sees a git change from sha512 down to sha1 (which is the issue I was having) you can fix it by running the following:

Discard the changes in git for package-lock.json

npm i -g npm
rm -rf node_modules/
npm i

This will update npm and reinstall all of your packages so that the new checksum (sha512) is present.


See also https://github.com/npm/npm/issues/17749 which although claims the issue is 'fixed', it isn't. Removing node_modules is a workaround.

There may be a relationship with operating systems. We're hitting this right now with developers on Linux and Windows platforms.


Building on what Dave answered. The fix i found was to do the following:

npm i -g npm

cd {working directory}
rm -rf node_modules/
rm package-lock.json
npm cache clear --force
npm i

We did this for all our developers at the same time and this stopped the sha-512 vs sha-1 issue which was causing frustrating merge conflicts.