Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

11.4.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

1. install a dependency via tarball
2. try to install any other dependency

Describe the Bug

when installing a dependency via url/tarball and then installing another dependency,
the integrity hash seems to get deleted from the resolution field, of dependencies installed via tarball.
We have an internal library which we install via pnpm add https://company.url/library/version/dist.tgz. this works and produces the expected entry in the pnpm-lock.yaml

@package/core@https://company.url/library/version/dist.tgz:
        resolution: {integrity: sha512-hashvalue, tarball: https://company.url/library/version/dist.tgz}

when i install another package after that, the integrity field is missing and pnpm throws the following error:

[ERR_PNPM_MISSING_TARBALL_INTEGRITY] Cannot install package "@package/core@https://company.url/library/version/dist.tgz": its lockfile entry has no "integrity" field, so pnpm cannot verify the downloaded tarball.

The lockfile may be corrupted or have been tampered with. Restore it from a trusted source, or delete it and re-run installation without --frozen-lockfile to regenerate.

Expected Behavior

The integrity field should stay populated.
I also tried to use --update-checksums which was introduced in pnpm 11.4 (https://pnpm.io/cli/install#--update-checksums) but that just throws

pnpm install --update-checksums              
 ERROR  Unknown option: 'update-checksums'

If I have overlooked something, I'm really sorry

Which Node.js version are you using?

v24.13.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response