Module integrity 

Subresource-Integrity verification of downloaded tarballs.

npm pins each tarball’s sha512-<base64> digest — in a package-lock.json and in the registry’s dist.integrity. verify checks the downloaded bytes against it before they are trusted, exactly as npm install / npm ci do. An integrity string with no sha512 component is an error: we never install unverified.

Functions

verify

Verify bytes against a Subresource-Integrity string (sha512-<base64>, possibly several space-separated algorithms — we require and check the sha512 one). name is for messages.