Improve shrinkwrap security by default by using always SHA512 hashes

[evilaliv3]

Current behaviour of NPM is to perform a shrinkwrap by using the archived SHA hash stored on the registry at the time of publishing.

This causes a well known behaviour where only packages published using NPM benefits of hashes of type SHA512, while older packages published before continue have only an hash of type SHA1 known to not be resilient about collisions.

This poses severe possible server securiy issues on crytical projects using dependencies published on NPM.

This ticket is to propose the reception of on of the following changes:

• Extend the registry to automatically perform re-hashing of the existing published packages including an hash of type sha512
• extend the shrinkwrap utility with the possibility to perform an online hashing of the dependencies directly while performing the shrinkwrap process and so following a Trust on First Use approach (TOFU).

References:
https://npm.community/t/sha1-vs-sha512-integrity/3416
https://medium.com/@ldong/stupid-sha-checksum-changes-in-npm-5-4bcb93f40791

Ticket proposal idea defined while working on the GlobaLeaks project.

[evilaliv3]

@zkat: As from what i read you have well analyzed this problem in many situations would you please advise on the best thing to do?

I'm also considering crating a package (maybe a grunt plugin) just for fixing the shrinkwrap implementing a trust on first use approach, but i wonder if other projects has followed different approaches.

thank you!