Expand packageManager description with allowed & recommended hash values

[MikeMcC399]

What would you like?

In the README section When Authoring Packages, expand the description to cover acceptable and recommended hash values. It should also describe how to determine correct hash values and which format is needed for Corepack.

Why is this needed?

It should be clear how to construct a valid packageManager definition with a hash, whether using a hash as part of a command or if manually editing packageManager into package.json.

The npm cli directly displays sha1 (shasum) and sha512 (integrity in BASE64) hashes for a requested package. For example:

$ npm view [email protected] dist
{
  shasum: 'ab7948c89104fdd3fc88b5b391fa4b73fd800631',
  tarball: 'https://registry.npmjs.org/pnpm/-/pnpm-10.1.0.tgz',
  fileCount: 1206,
  integrity: 'sha512-yJhHsGZ92rUDlru9AIoqQ887WB79Wc9dmqiSPqH7S4EGwEHVQNCKywlQN1lNc+vFHh7InuQMiLMLimbA+uCsGw==',
  signatures: [
    {
      sig: 'MEUCIQDlkgmNyZjT7KUY8AO6jH7Gs3fyiXG8nbTnuLbd8fOS2AIgXyJ6SaYhumMFzUYQAZPJGhsnlaD5N0X2MZsbG+eS/Xo=',
      keyid: 'SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U'
    }
  ],
  unpackedSize: 18870570
}

Other

• Since Corepack does not use the live copy of https://registry.npmjs.org/-/npm/v1/keys, if keys are rotated and used to sign packages, then Corepack users may have difficulty installing newer package managers. See issues
  • Newly published versions of package managers distributed from npm cannot be installed due to key id mismatch #612
  • Saveguards for keyid mismatch #616
  • [BUG] Unable to install 11.1.0 with corepack npm/cli#8075
• corepack install or corepack use with a package manager hash can help to work around this issue.