Disable integrity check for local dependency in package-lock.json

How can I disable the integrity check for a local dependency in package-lock.json?

In my repository, I have a base library as well as two Angular apps with both use my base library as dependency.

Unfortunately, the integrity sha512 of the base library is with every build different, and npm fails installing the dependencies.

This is what it outputs:

npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting @me/base-library@file:../lib/me-base-library-1.0.0.tgz:
npm ERR! Verification failed while extracting @me/base-library@file:../lib/me-base-library-1.0.0.tgz:
npm ERR! Integrity check failed:
npm ERR!   Wanted: sha512-(...)
npm ERR!    Found: sha512-(...)

Excerpt from “package-lock.json”:

"@me/base-library": {
  "version": "file:../lib/me-base-library-1.0.0.tgz",
  "integrity": "sha512-(...)" // <- different with every build
}

Is there any way to disable integrity checks for local dependencies?

Answer

I could fix the issue by referencing to the directory of my library instead of the TGZ file. npm and yarn (both tested) do not generate integrity hashes for folders, only for files. In my package.json files of the Angular apps, I have just changed "@me/base-library": "file:../lib/me-base-library-1.0.0.tgz" into "@me/base-library": "file:../lib".

Additionally, I had to add some properties to the package.json file of base library:

  "main": "lib/bundles/me-base-library.umd.js",
  "module": "lib/fesm2015/me-base-library.js",
  "es2015": "lib/fesm2015/me-base-library.js",
  "esm2015": "lib/esm2015/me-base-library.js",
  "fesm2015": "lib/fesm2015/me-base-library.js",
  "typings": "lib/me-base-library.d.ts"