Getting EINTEGRITY errors when Nexus is used as a proxy for upstream NPM artifacts

This is a problem that manifested itself in the past 24 hours. We have a Nexus repo group set up that combines our internal NPM repository with a proxy repository for registrynpmjsorg. In the past 24 hours our npm install commands have been failing with:

npm http fetch GET 200 URL_REMOVED_BECAUSE_OF_BOARD_RULES/repository/npm-all-new/is-arrayish/-/is-arrayish-0.3.2.tgz 242ms
npm timing stage:rollbackFailedOptional Completed in 0ms
npm timing stage:runTopLevelLifecycles Completed in 94765ms
npm verb stack Error: sha512-I/VwFcslOAPh0BrC5zaf/K1VNKS6s0Nq0oux28RvjgnHdV2j6XVj3sAf3mPlmbciYODnPCYW/tKolCBgbXafcQ== integrity checksum failed when using sha512: wanted sha512-I/VwFcslOAPh0BrC5zaf/K1VNKS6s0Nq0oux28RvjgnHdV2j6XVj3sAf3mPlmbciYODnPCYW/tKolCBgbXafcQ== but got sha512-UIwA+GXHqv6dxUHgFEiKV//m+/KkQqechUCISpHzNMrSAC6+XAsN0oZttCfmcnbwl9jiN1qCUb6+1/8Ujc6VrQ==. (6784 bytes)
npm verb stack     at Transform.<anonymous> (/usr/local/lib/node_modules/npm/node_modules/ssri/index.js:328:19)
npm verb stack     at Transform.emit (events.js:328:22)
npm verb stack     at endReadableNT (_stream_readable.js:1201:12)
npm verb stack     at processTicksAndRejections (internal/process/task_queues.js:84:21)
npm verb cwd /Users/eshkurkin/code/wam/apps/amc/root
npm verb Darwin 18.2.0
npm verb argv "/usr/local/bin/node" "/usr/local/bin/npm" "i" "--verbose"
npm verb node v13.10.1
npm verb npm  v6.14.8
npm ERR! code EINTEGRITY
npm ERR! sha512-I/VwFcslOAPh0BrC5zaf/K1VNKS6s0Nq0oux28RvjgnHdV2j6XVj3sAf3mPlmbciYODnPCYW/tKolCBgbXafcQ== integrity checksum failed when using sha512: wanted sha512-I/VwFcslOAPh0BrC5zaf/K1VNKS6s0Nq0oux28RvjgnHdV2j6XVj3sAf3mPlmbciYODnPCYW/tKolCBgbXafcQ== but got sha512-UIwA+GXHqv6dxUHgFEiKV//m+/KkQqechUCISpHzNMrSAC6+XAsN0oZttCfmcnbwl9jiN1qCUb6+1/8Ujc6VrQ==. (6784 bytes)
npm verb exit [ 1, true ]
npm timing npm Completed in 95339ms

We thought maybe the caching repository had been corrupted so we created an entire fresh, caching repository and swapped it into the group but we continued to get the EINTEGRITY errors. Local caches were completely wiped from disk between runs where these problems occurred as well and did not resolve the problem.

We were able to resolve the problem by switching our package.json to use explicit scoping for internal packages and having npm fetch public packages directly from registry.npmjs.org by setting that as the repository in the .npmrc – when we make this change, we see no EINTEGRITY errors from npm install.

We’re running the latest npm, the latest node and Nexus OSS 3.27.0-03.

We’re at a loss for what might be causing this. The only change to the system in the past 24 hours has been a reboot of the Redhat machine we’re hosting the Nexus server on. And the errors are only a problem for Node packages. PyPi caching , Maven repo caching and Rubygem caching all seem to be working just fine.

Anyone else seeing this problem? Maybe it’s an issue upstream with registry.npmjs.org?

Any tips on how to troubleshoot this?

My thanks in advance for any clues on how to resolve this one.