yarnpkg/yarn

Files are extracted before their hashes are checked.

Open

#4,638 opened on Oct 5, 2017

View on GitHub
 (13 comments) (0 reactions) (0 assignees)JavaScript (2,731 forks)batch import
cat-featuregood first issuehelp wantedtriaged

Repository metrics

Stars
 (41,514 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Do you want to request a feature or report a bug? A bug.

What is the current behavior? Currently, downloaded files are extracted before their hashes are checked. https://github.com/yarnpkg/yarn/blob/master/src/fetchers/tarball-fetcher.js#L75

What is the expected behavior? Files should be verified before they are extracted.

Contributor guide