Regarding the message in Artifactory UI, the warning message in the uploaded NPM packages is just to let you know that, as part of the artifacts deployment checksums for files haven’t been supplied and therefore Artifactory cannot verify the authenticity of the artifact.
By default, Artifactory verifies local checksum values against client checksums. So if there is a mismatch or if there is no checksum provided by the client, Artifactory gives this warning. And hence we would like to know how the binaries are being deployed to the Artifactory.
If binaries are being deployed using a CI server, the CI server needs to be configured to pass the checksums using the following headers in PUT request:
X-Checksum-Sha1: sha1Value, X-Checksum-Sha256: sha256Value, X-Checksum: checksum value
Another option is to deploy the artifacts checksums, is to use JFrog CLI in order to upload the artifacts and even to perform the complete build like NuGet , GO , Npm , Docker , Maven and Gradle .
In addition, the ‘Fix Checksum’ option in Artifactory is just to accept the Artifactory generated checksums and it does not affect any kind of operations (download/upload/overwrite/delete) on the artifact itself. Thus, fixing this programmatically, is not essentially required for smooth functioning of Artifactory.
About verifying checksums, a way to do this is to verify SHA1 artifacts against http://registry.npmjs.org, for example ansi-regex.
We will take its SHA1
and then check it in http://registry.npmjs.org/ansi-regex