Need help with building new changes for an app

Support
,
1

Hi everyone,

I am building a React app, and recently I was fixing security vulnerabilities by editing the versions of the vulnerable packages in package-lock.json. After sending changes via GitHub, I notice that my build always failed, and it had npm warnings pertaining to the packages I fixed. Anyone know why this is happening? Here is the build:

2:42:26 PM: Build ready to start

2:42:28 PM: build-image version: 122b31996ccaffd45d820a452d6227f8312110cc (focal)

2:42:28 PM: build-image tag: v4.5.3

2:42:28 PM: buildbot version: 9bc48650b0551281ca8258d0c32d371dd2b6993b

2:42:28 PM: Fetching cached dependencies

2:42:28 PM: Starting to download cache of 373.0MB

2:42:30 PM: Finished downloading cache in 2.172431025s

2:42:30 PM: Starting to extract cache

2:42:44 PM: Finished extracting cache in 13.964038064s

2:42:45 PM: Finished fetching cache in 16.208070564s

2:42:45 PM: Starting to prepare the repo for build

2:42:45 PM: Preparing Git Reference refs/heads/main

2:42:47 PM: Parsing package.json dependencies

2:42:48 PM: Starting build script

2:42:48 PM: Installing dependencies

2:42:48 PM: Python version set to 2.7

2:42:48 PM: Started restoring cached node version

2:42:51 PM: Finished restoring cached node version

2:42:52 PM: v16.14.0 is already installed.

2:42:52 PM: Now using node v16.14.0 (npm v8.3.1)

2:42:52 PM: Started restoring cached build plugins

2:42:52 PM: Finished restoring cached build plugins

2:42:52 PM: Attempting ruby version 2.7.2, read from environment

2:42:54 PM: Using ruby version 2.7.2

2:42:54 PM: Using PHP version 8.0

2:42:54 PM: Started restoring cached node modules

2:42:54 PM: Finished restoring cached node modules

2:42:55 PM: Installing NPM modules using NPM version 8.3.1

2:43:00 PM: npm WARN tarball tarball data for simple-get@url-of-package (sha512-lSSHRSw3mQNUGPAYRqo7xy9dhKmxFXIjLjp4KHpf99GEH2VH7C3AM+Qfx6du6jhfUi6Vm7XnbEVEf7Wb6N8jRw==) seems to be corrupted. Trying again.

2:43:00 PM: npm WARN tarball tarball data for nth-check@url-of-package (sha512-WeBOdju8SnzPN5vTUJYxYUxLeXpCaVP5i5e0LF8fg7WORF2Wd7wFX/pk0tYZk7s8T+J7VLy0Da6J1+wCT0AtHg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for nth-check@url-of-package(sha512-WeBOdju8SnzPN5vTUJYxYUxLeXpCaVP5i5e0LF8fg7WORF2Wd7wFX/pk0tYZk7s8T+J7VLy0Da6J1+wCT0AtHg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for simple-get@url-of-package (sha512-lSSHRSw3mQNUGPAYRqo7xy9dhKmxFXIjLjp4KHpf99GEH2VH7C3AM+Qfx6du6jhfUi6Vm7XnbEVEf7Wb6N8jRw==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for browserslist@url-of-package (sha512-HI4lPveGKUR0x2StIz+2FXfDk9SfVMrxn6PLh1JeGUwcuoDkdKZebWiyLRJ68iIPDpMI4JLVDf7S7XzslgWOhw==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for browserslist@url-of-package (sha512-HI4lPveGKUR0x2StIz+2FXfDk9SfVMrxn6PLh1JeGUwcuoDkdKZebWiyLRJ68iIPDpMI4JLVDf7S7XzslgWOhw==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-fetch@url-of-package (sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==) seems to be corrupted. Trying again.

2:43:01 PM: npm WARN tarball tarball data for node-forge@url-of-package (sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==) seems to be corrupted. Trying again.

2:43:02 PM: npm WARN tarball tarball data for node-forge@url-of-package (sha512-PPmu8eEeG9saEUvI97fm4OYxXVB6bFvyNTyiUOBichBpFG8A1Ljw3bY62+5oOjDEMHRnd0Y7HQ+x7uzxOzC6JA==) seems to be corrupted. Trying again.

2:43:11 PM: npm WARN tarball tarball data for ansi-regex@url-of-package (sha512-1apePfXM1UOSqw0o9IiFAovVz9M5S1Dg+4TrDwfMewQ6p/rmMueb7tWZjQ1rx4Loy1ArBggoqGpfqqdI4rondg==) seems to be corrupted. Trying again.

2:43:11 PM: npm ERR! code EINTEGRITY

2:43:11 PM: npm ERR! sha512-lSSHRSw3mQNUGPAYRqo7xy9dhKmxFXIjLjp4KHpf99GEH2VH7C3AM+Qfx6du6jhfUi6Vm7XnbEVEf7Wb6N8jRw== integrity checksum failed when using sha512: wanted sha512-lSSHRSw3mQNUGPAYRqo7xy9dhKmxFXIjLjp4KHpf99GEH2VH7C3AM+Qfx6du6jhfUi6Vm7XnbEVEf7Wb6N8jRw== but got sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==. (5530 bytes)

2:43:11 PM: npm ERR! A complete log of this run can be found in:

2:43:11 PM: npm ERR! /opt/buildhome/.npm/_logs/2022-02-20T18_42_55_733Z-debug-0.log

2:43:11 PM: Error during NPM install

2:43:11 PM: Build was terminated: Build script returned non-zero exit code: 1

2:43:11 PM: Creating deploy upload records

2:43:11 PM: Failing build: Failed to build site

2:43:11 PM: Failed during stage 'building site': Build script returned non-zero exit code: 1

2:43:11 PM: Finished processing build request in 43.166607011s
2

hey there,

as you can see in the snippet i highlighted above, your build is failing because for some reason some of the dependencies your project is asking to download and install are causing a failure as they are corrupted or outdated in some way.

does this build locally?

1 Like
3

Weird, because GitHub told me to upgrade these dependencies to that version to fix the vulnerabilities. What do you mean by it building locally?

4

Hey @DevBaddy

As mentioned in the CRA documentation you can create a production build using npm run build. If you already had the packages install prior to editing the package-lock.json this may still work for you.

I don’t believe editing the package-lock.json is what GitHub was suggesting you do. The package-lock.json is a file automatically generated when npm installs packages. Further, not all vulnerabilities the GitHub bot may identify are critical to every project—you need to assess what each package does and how it is used in a project. Many dependencies are those of other packages in a project and thus those packages are what require upgrading or require the maintainer to upgrade the dependencies used in it.

If you wish to upgrade packages in a project, start with by checking which are outdated with npm outdated.

1 Like