Packages: Store the SHA 512 integrity hash sent by NPM v5+
Release notes
The NPM packages API now stores and serves the SHA 512 integrity hashes for packages, when publishing with NPM version 5 and above.
Problem to solve
NPM v5+ switched its integrity hashes from SHA-1 to SHA-512. Our file storage currently captures only the SHA-1 value sent during the publish. We should also store and serve the SHA 512 value, as that appears to be the standard for all new packages on the public NPM registry now.
Proposal
Support capturing and storing file_sha512
attributes for uploaded NPM packages in https://gitlab.com/gitlab-org/gitlab/blob/39e034d03086045ab00e4c1d67fd8fad51fcdbfd/app/services/packages/npm/create_package_service.rb (in method def file_params
, which only sources submitted info version_data[:dist][:shasum]
as an SHA-1 value)