Currently, yarn berry could be downloaded as two form, tar or js, depending on whether COREPACK_NPM_REGISTRY is set. However, the hash validation step simply calculates the shasum of download stream, and obviously the hashes mismatch.
For example, shasums for yarn 4.1.1 are:
61b9f63c5edc625867eeda36190a4efebdf7840052db5f6583e301a9d228eb43 cli-dist-4.1.1.tgz
f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781 yarn.js
Reproduce steps:
- Call
corepack use yarn@4.1.1 without COREPACK_NPM_REGISTRY being set. Hash will be written to package.json
"packageManager": "yarn@4.1.1+sha256.f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781"
- Copy the project to an environment where
COREPACK_NPM_REGISTRY is set.
- Call
corepack yarn, following error will be thrown:
Internal Error: Mismatch hashes. Expected f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781, got 61b9f63c5edc625867eeda36190a4efebdf7840052db5f6583e301a9d228eb43
Currently, yarn berry could be downloaded as two form, tar or js, depending on whether
COREPACK_NPM_REGISTRYis set. However, the hash validation step simply calculates the shasum of download stream, and obviously the hashes mismatch.For example, shasums for yarn 4.1.1 are:
Reproduce steps:
corepack use yarn@4.1.1withoutCOREPACK_NPM_REGISTRYbeing set. Hash will be written topackage.jsonCOREPACK_NPM_REGISTRYis set.corepack yarn, following error will be thrown: