npm on node:20.11-alpine3.18 fails with "Someone might have tampered with these packages since they were published on the registry!"

[mitar]

Environment

• Node.js Version: 20.11
• Image Tag: node:20.11-alpine3.18

Expected Behavior

npm correctly installs packages.

Current Behavior

Since few days ago, installing npm packages inside node:20.11-alpine3.18 image is failing with:

Someone might have tampered with these packages since they were published on the registry!

Possible Solution

It looks like npm should be upgraded to 10.5.0 or newer:

npm/cli#7279

[mitar]

Why was this closed? Why not update npm in the Docker image for everyone?

[SimenB]

docker-node/CONTRIBUTING.md

Line 9 in e5ffb12

New **NPM** releases are not tracked. We simply use the NPM version bundled in the corresponding Node.js release.

[mitar]

Thanks. But this now means that everyone using this package has effectively broken npm and has to increase their CI running time by upgrading npm first (after figuring out that one has to upgrade npm and that it is not that somebody is tampering with packages). I think this warrants an exception to the rule cited above.