integrity in yarn.lock

When committing code you may notice diffs in yarn.lock adding or removing integrity fields. Here’s a quick rundown of what it is.

Purpose

Ensures resource integrity (package version and content). After Yarn downloads a resource, it compares the computed integrity to the one in the file; if they don’t match, installation fails.

How is integrity computed?

Typically: hash(bytes) → base64‑encode.

Why isn’t it on every package?

In theory, it should be present for every package.

v1.9.4

Reproduced at the time: delete lockfile, run yarn install, some packages still lacked integrity.

v1.22.4

After upgrading, retrying showed every package had integrity.

Conclusion

A version bug — upgrading resolves it.

References

• What is the integrity property inside yarn.lock file?
• Subresource Integrity
• Resource Integrity