feat(checksums): add integrity field with sha512 authentication to yarn.lock (#5042)

* test(fixtures): adjust yarn.lock and snapshots with integrity field as needed

* test(integrity): adjust existing cases to integrity field authentication

* test(fixtures): integrity field authentication cases

* test(integrity): integration and unit tests for the lockfile integrity field

* chore(deps): add ssri module

* feat(checksums): add integrity field with sha512 authentication to yarn.lock

* test(integrity): additional sri string options

* fix(checksums): better error when algorithms are not supported

* fix(checksums): proper error message for bad hash in node <= 6

* chore(integrity): fixed new flow issues

* test(integrity): adjust additional test case

* test(fixtures): additional integrity field authentication cases

* fix(integrity): update integrity for offline-mirror cases

* style(integrity): clarify conditional for flow

* fix(integrity): throw sync error rather than rejecting it

* Update yarn.lock with new integrity field

* Upgrade ssri

* Use the latest version of the SSRI package

* Optimize integrity matching from lockfile a bit

* Refactor digest support determination

* test(error): fixed expected error wording

* fix(checksum): fail validation on malformed hash or integrity

* fix(test): verify integrity failure on malformed integrity string

* test(fixtures): add install auth malformed integrity fixture

* chore(deps): update dependency eslint-config-fb-strict to ^22.0.0 (#5570)

**Summary**

This Pull Request updates dependency eslint-config-fb-strict from ^20.1.0-delta.3 to ^22.0.0

**Test plan**

`yarn lint` should pass.

* chore(jest): Upgrade Jest flow types (#5573)

**Summary**

Follow up to #5569.

**Test plan**

`yarn lint` should pass without errors.

* ci(appveyor): Fix AppVeyor tests (#5574)

* ci(appveyor): Fix AppVeyor tests

**Summary**

Jest 22.4.x mocks the process object without a proper stub for `process.mainModule`. In our
lifecycle code, we try to set `env.npm_execpath` when it is not defined by using
`process.mainModule.filename`. When running tests on AppVeyor, we run Jest directly, thus we don't
have `env.npm_execpath` set, triggering the `process.mainModule` code path which is also not set,
causing tests to fail.

**Test plan**

AppVeyor builds should pass.

* Fix tests

* Add missing package cache

* Bring --update-checksums back

* Fix tests

* Bring --update-checksums back

* Fix Flow error

* Fix error w/ updateChecksums

* Update ssri semver in package.json

* Stabilize TarballFetcher.fetch tests

* Moar test fixes

* test(update-checksums): make sure the flag works when integrity is malformed

* fix(updateChecksums): minor issues and edge cases

* Revert unrelated change

 ahead of 'imsnif/master' by 1 commit.

* Slight refactor in lockfile parser

* test(fixtures): update integrity and dep versions

* fix(checksums): create integrity when importing from node_modules

* test(fixtures): add integrity field to expected yarn.lock

* Fixes error reporting

* Fixes error reporting

* Fixes tests

Author: imsnif

__tests__/__snapshots__/fetchers.js.snap

@@ -65,10 +65,10 @@ test.concurrent('adding to the workspace root should preserve workspace packages
     expect(pkg.dependencies).toEqual({'left-pad': '1.1.3', 'max-safe-integer': '1.0.0'});
 
     const lockfile = explodeLockfile(await fs.readFile(path.join(config.cwd, 'yarn.lock')));
-    expect(lockfile).toHaveLength(15);
+    expect(lockfile).toHaveLength(20);
     expect(lockfile.indexOf('[email protected]:')).toEqual(0);
-    expect(lockfile.indexOf('[email protected]:')).toEqual(3);
-    expect(lockfile.indexOf('[email protected]:')).toEqual(6);
+    expect(lockfile.indexOf('[email protected]:')).toEqual(4);
+    expect(lockfile.indexOf('[email protected]:')).toEqual(8);
   });
 });
 
@@ -107,6 +107,28 @@ test.concurrent('adds any new package to the current workspace, but install from
   });
 });
 
+test.concurrent('add creates an entry with a sha512 integrity field', () => {
+  return runAdd(['[email protected]'], {}, 'add-integrity-sha512', async config => {
+    const lockfile = explodeLockfile(await fs.readFile(path.join(config.cwd, 'yarn.lock')));
+    expect(
+      lockfile[3].indexOf(
+        'integrity sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg==',
+      ),
+    ).toEqual(2);
+    expect(lockfile[2].indexOf('#893312af69b2123def71f57889001671eeb2c853"')).toBeGreaterThan(0);
+    // backwards compatibility
+  });
+});
+
+test.concurrent('add creates an entry with a sha1 integrity field when sha512 is unavailable', () => {
+  return runAdd(['[email protected]'], {}, 'add-integrity-sha1', async config => {
+    const lockfile = explodeLockfile(await fs.readFile(path.join(config.cwd, 'yarn.lock')));
+    expect(lockfile[3].indexOf('integrity sha1-R6La9YHt5FQzTe5sYDbK4A2RLk0=')).toEqual(2);
+    expect(lockfile[2].indexOf('#47a2daf581ede454334dee6c6036cae00d912e4d')).toBeGreaterThan(0);
+    // backwards compatibility
+  });
+});
+
 test.concurrent('install with arg', async () => {
   await runAdd(['is-online'], {}, 'install-with-arg');
 });
@@ -288,7 +310,7 @@ test.concurrent('add should ignore cache', async () => {
 
     const lockFileWritten = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines = explodeLockfile(lockFileWritten);
-    expect(lockFileLines).toHaveLength(3);
+    expect(lockFileLines).toHaveLength(4);
     expect(lockFileLines[0]).toEqual('[email protected]:');
     expect(lockFileLines[2]).toMatch(
       /resolved "https:\/\/registry\.yarnpkg\.com\/left-pad\/-\/left-pad-1\.1\.0\.tgz#[a-f0-9]+"/,
@@ -378,9 +400,9 @@ test.concurrent('install --initMirror should add init mirror deps from package.j
 
     const lockFileContent = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines = explodeLockfile(lockFileContent);
-    expect(lockFileLines).toHaveLength(8);
+    expect(lockFileLines).toHaveLength(10);
     expect(lockFileLines[0].indexOf('mime-db@')).toEqual(0);
-    expect(lockFileLines[3].indexOf('[email protected]')).toEqual(0);
+    expect(lockFileLines[4].indexOf('[email protected]')).toEqual(0);
   });
 });
 
@@ -410,7 +432,7 @@ test.concurrent('add with new dependency should be deterministic', async () => {
       const lockFileWritten = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
       const lockFileLines = explodeLockfile(lockFileWritten);
 
-      expect(lockFileLines).toHaveLength(11);
+      expect(lockFileLines).toHaveLength(14);
       expect(lockFileLines.indexOf('mime-db@~1.0.1:')).toBeGreaterThanOrEqual(0);
       expect(lockFileLines.indexOf('[email protected]:')).toBeGreaterThanOrEqual(0);
       expect(lockFileLines.indexOf('[email protected]:')).toBeGreaterThanOrEqual(0);
@@ -449,7 +471,7 @@ test.concurrent('add with new dependency should be deterministic 2', async () =>
       const lockFileWritten = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
       const lockFileLines = explodeLockfile(lockFileWritten);
       // see why we don't cleanup lockfile https://github.com/yarnpkg/yarn/issues/79
-      expect(lockFileLines).toHaveLength(11);
+      expect(lockFileLines).toHaveLength(14);
 
       const mirror = await fs.walk(path.join(config.cwd, mirrorPath));
       expect(mirror).toHaveLength(3);
@@ -556,7 +578,7 @@ test.concurrent('upgrade scenario', async () => {
 
     const lockFileWritten = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines = explodeLockfile(lockFileWritten);
-    expect(lockFileLines).toHaveLength(3);
+    expect(lockFileLines).toHaveLength(4);
     expect(lockFileLines[0]).toEqual('[email protected]:');
     expect(lockFileLines[2]).toMatch(
       /resolved "https:\/\/registry\.yarnpkg\.com\/left-pad\/-\/left-pad-0\.0\.9\.tgz#[a-f0-9]+"/,
@@ -578,7 +600,7 @@ test.concurrent('upgrade scenario', async () => {
 
     const lockFileWritten2 = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines2 = explodeLockfile(lockFileWritten2);
-    expect(lockFileLines2).toHaveLength(3);
+    expect(lockFileLines2).toHaveLength(4);
     expect(lockFileLines2[0]).toEqual('[email protected]:');
     expect(lockFileLines2[2]).toMatch(
       /resolved "https:\/\/registry\.yarnpkg\.com\/left-pad\/-\/left-pad-1.1.0.tgz#[a-f0-9]+"/,
@@ -613,8 +635,8 @@ test.concurrent('upgrade scenario 2 (with sub dependencies)', async () => {
       expect(lockFileLines[0]).toEqual('mime-db@~1.23.0:');
       expect(lockFileLines[2]).toMatch(/resolved "https:\/\/registry\.yarnpkg\.com\/mime-db\/-\/mime-db-/);
 
-      expect(lockFileLines[3]).toEqual('[email protected]:');
-      expect(lockFileLines[5]).toMatch(
+      expect(lockFileLines[4]).toEqual('[email protected]:');
+      expect(lockFileLines[6]).toMatch(
         /resolved "https:\/\/registry\.yarnpkg\.com\/mime-types\/-\/mime-types-2\.1\.11\.tgz#[a-f0-9]+"/,
       );
 
@@ -665,7 +687,7 @@ test.concurrent('downgrade scenario', async () => {
     const mirrorPath = 'mirror-for-offline';
     const lockFileWritten = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines = explodeLockfile(lockFileWritten);
-    expect(lockFileLines).toHaveLength(3);
+    expect(lockFileLines).toHaveLength(4);
     expect(lockFileLines[0]).toEqual('[email protected]:');
     expect(lockFileLines[2]).toMatch(
       /resolved "https:\/\/registry\.yarnpkg\.com\/left-pad\/-\/left-pad-1\.1\.0\.tgz#[a-f0-9]+"/,
@@ -686,7 +708,7 @@ test.concurrent('downgrade scenario', async () => {
 
     const lockFileWritten2 = await fs.readFile(path.join(config.cwd, 'yarn.lock'));
     const lockFileLines2 = explodeLockfile(lockFileWritten2);
-    expect(lockFileLines2).toHaveLength(3);
+    expect(lockFileLines2).toHaveLength(4);
     expect(lockFileLines2[0]).toEqual('[email protected]:');
     expect(lockFileLines2[2]).toMatch(
       /resolved "https:\/\/registry\.yarnpkg\.com\/left-pad\/-\/left-pad-0\.0\.9\.tgz#[a-f0-9]+"/,

__tests__/commands/add.js

@@ -1,18 +1,3 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`don't install with file: protocol as default if target is valid semver: install-file-as-default-no-semver 1`] = `
-"{
-  \\"author\\": \\"AJ ONeal <[email protected]> (http://coolaj86.info)\\",
-  \\"name\\": \\"foo\\",
-  \\"description\\": \\"A test module with no \`main\`, \`lib\`, or \`dependencies\` specified\\",
-  \\"version\\": \\"1.0.0\\",
-  \\"repository\\": {
-    \\"type\\": \\"git\\",
-    \\"url\\": \\"git://github.com/coolaj86/node-pakman.git\\"
-  },
-  \\"engines\\": {
-    \\"node\\": \\">= v0.2\\"
-  }
-}
-"
-`;
+exports[`install should authenticate integrity field with combined sha1 and sha512 checksums: integrity stable 1`] = `"  integrity \\"sha1-iTMSr2myEj3vcfV4iQAWce6yyFM= sha512-kKvNJn6Mm93gAczWVJg7wH+wGYWNrDHdWvpUmHyEsgCtIwwo3bqPtV4tR5tuPaUhTOo/kvhVwd8XwwOllGYkbg==\\""`;