Build error with yarn

Hi,

On my site https://bakino.netlify.app I get a build error with yarn telling me “Integrity check failed for gsap”, as shown below. I’ve tried clearing the cache on Netlify, deleting my site on Netlify and creating a new one, deleting node_modules/yarn.lock files locally and commit new files to github, but I still get the same error.

Everything works fine locally on my computer when running the site, and building it.
What more can I try?

9:41:25 PM: Build ready to start
9:41:28 PM: build-image version: 3031d4c9e432fd7016f6279fc9ad706f9205d845
9:41:28 PM: build-image tag: v3.3.17
9:41:28 PM: buildbot version: 1f35b3abd6e2bf5230d8edf68072840fdec1513f
9:41:28 PM: Fetching cached dependencies
9:41:29 PM: Failed to fetch cache, continuing with build
9:41:29 PM: Starting to prepare the repo for build
9:41:29 PM: No cached dependencies found. Cloning fresh repo
9:41:29 PM: git clone https://github.com/danielhult/prismic-bakino
9:41:30 PM: Preparing Git Reference refs/heads/master
9:41:31 PM: Starting build script
9:41:31 PM: Installing dependencies
9:41:31 PM: Python version set to 2.7
9:41:32 PM: v12.18.0 is already installed.
9:41:33 PM: Now using node v12.18.0 (npm v6.14.4)
9:41:33 PM: Started restoring cached build plugins
9:41:33 PM: Finished restoring cached build plugins
9:41:33 PM: Attempting ruby version 2.7.1, read from environment
9:41:34 PM: Using ruby version 2.7.1
9:41:35 PM: Using PHP version 5.6
9:41:35 PM: 5.2 is already installed.
9:41:35 PM: Using Swift version 5.2
9:41:35 PM: Started restoring cached node modules
9:41:35 PM: Finished restoring cached node modules
9:41:35 PM: Started restoring cached yarn cache
9:41:35 PM: Finished restoring cached yarn cache
9:41:35 PM: Installing yarn at version 1.22.4
9:41:35 PM: Installing Yarn!
9:41:35 PM: > Downloading tarball...
9:41:35 PM: [1/2]: https://yarnpkg.com/downloads/1.22.4/yarn-v1.22.4.tar.gz --> /tmp/yarn.tar.gz.V7EmEvaFfp
9:41:35 PM:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
9:41:35 PM:                                  Dload  Upload   Total   Spent    Left  Speed
9:41:35 PM:   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
9:41:35 PM: 100    80  100    80    0     0    257      0 --:--:-- --:--:-- --:--:--   258
9:41:36 PM: 100    93  100    93    0     0    149      0 --:--:-- --:--:-- --:--:--   149
9:41:36 PM:   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
9:41:36 PM: 100   630  100   630    0     0    714      0 --:--:-- --:--:-- --:--:--  3841
9:41:36 PM: 100 1215k  100 1215k    0     0   913k      0  0:00:01  0:00:01 --:--:--  913k
9:41:36 PM: [2/2]: https://yarnpkg.com/downloads/1.22.4/yarn-v1.22.4.tar.gz.asc --> /tmp/yarn.tar.gz.V7EmEvaFfp.asc
9:41:37 PM: 100    84  100    84    0     0   3082      0 --:--:-- --:--:-- --:--:--  3082
9:41:37 PM: 100    97  100    97    0     0   1633      0 --:--:-- --:--:-- --:--:--  1633
9:41:37 PM: 100   634  100   634    0     0   6727      0 --:--:-- --:--:-- --:--:--  6727
9:41:37 PM: 100  1028  100  1028    0     0   7648      0 --:--:-- --:--:-- --:--:--  7648
9:41:37 PM: > Verifying integrity...
9:41:37 PM: gpg: Signature made Mon 09 Mar 2020 03:52:13 PM UTC using RSA key ID 69475BAA
9:41:37 PM: gpg: Good signature from "Yarn Packaging <yarn@dan.cx>"
9:41:37 PM: gpg: WARNING: This key is not certified with a trusted signature!
9:41:37 PM: gpg:          There is no indication that the signature belongs to the owner.
9:41:37 PM: Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
9:41:37 PM:      Subkey fingerprint: 6D98 490C 6F1A CDDD 448E  4595 4F77 6793 6947 5BAA
9:41:37 PM: > GPG signature looks good
9:41:37 PM: > Extracting to ~/.yarn...
9:41:37 PM: > Adding to $PATH...
9:41:37 PM: > Successfully installed Yarn 1.22.4! Please open another terminal where the `yarn` command will now be available.
9:41:38 PM: Installing NPM modules using Yarn version 1.22.4
9:41:38 PM: yarn install v1.22.4
9:41:38 PM: [1/4] Resolving packages...
9:41:39 PM: [2/4] Fetching packages...
9:41:44 PM: error Integrity check failed for "gsap" (computed integrity doesn't match our records, got "sha512-VdWxlEPG4JM4OdjYv6Nm0cqCM1uaGHqU4tu5FoiVHUup66NLZiOYb1XVptNejhceWeyLyfnJ9yZhG9iQj6XGCQ== sha1-C01Qr7vcbeF7s6q2+kzXo2lgAD4=")info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
9:41:56 PM: Failed during stage 'building site': Build script returned non-zero exit code: 1
9:41:56 PM: Error during Yarn install
9:41:56 PM: Error running command: Build script returned non-zero exit code: 1
9:41:56 PM: Failing build: Failed to build site
9:41:57 PM: Finished processing build request in 29.09248685s

hmm, this is a weird one. My best guess is that the dependency (that isn’t hosted on netlify) was somehow corrupted between you building locally and trying to build on netlify.

can you tell which dependency this is regarding?

It’s the “gsap” dependency that’s throwing the error.
If it helps it’s a .tgz file that I install using yarn.

@perry Any ideas on what I can try?

Not too sure but perhaps the issue isn’t with the SHA of your file. I think the issue may be related to Misleading "Integrity check failed..." error if credentials for private registry are missing · Issue #6740 · yarnpkg/yarn · GitHub. Is that file being installed through a private repository? Perhaps this might help: [Support Guide] Using private NPM modules on Netlify

We’re in the same situation.

GSAP (Animation library) offers access to additional premium files with membership. These differ to what is available via NPM, CDN’s etc, because you have to pay to access them.

Their recommended installation route is by manually adding a bundled .tgz file to your package.json like so:

"gsap": "./gsap-bonus.tgz",

I can only imagine that as part of the Netlify deploy process, it’s checking the security / SHA of the provided tgz against the npm / packaged version, seeing they’re different (rightly so) and getting upset about it.

4:08:12 PM: error Integrity check failed for "gsap" (computed integrity doesn't match our records, got "sha1-lYu/KAPL16QCxNZP8Whxq9ttOUw=")

I’ve a number of sites deployed in this manner with Netlify, but since revisiting them and making some basic changes today, they now no longer deploy.

Just to add, I’ve tried just to get around this using the Environment Variable for Yarn to skip the Integrity check, but it doesn’t seem to make a difference (or I’ve implemented it wrong).

--skip-integrity-check

Screenshot 2020-06-30 at 18.17.211880×786 52.2 KB

Hey @kithandkin,
Skipping the integrity check is a great idea. Do you have a yarn.lock file? We look for that before checking for yarn flags. If you do, then ignoring the flags is… unintended. So please let us know!

Perfect Jen!

That’s sorted the issue for me.

I removed the yarn.lock file, cleared the cache and forced it to rebuild keeping the --skip-integrity-check flag in place. The site is now building again.

@danecalee can you confirm this solves the issue for you too?

@jen It would be good if the documentation could be updated somewhere to reflect this, as it’s a different issue to using a privately hosted package.

hey @kithandkin - super glad its working now. I’ve added a note to take a closer look and see if we can make the instructions more clear on this.

@kithandkin - we talked about this internally, and it seems to be an issue more with how yarn is set up to behave as opposed to netlify.

Specifically, we found this issue: