cpan-integ

cpan-integ records the SHA-256 of each resolved CPAN distribution’s actual bytes in a committed, diff-friendly lockfile, and fails the build if a fetched artifact differs from what was pinned.

It closes the gap Carton, cpm, and cpanm leave open — they pin versions, not bytes — giving CPAN the same trust-on-first-pin guarantee that pip’s hash mode and npm’s lockfile integrity field already provide. It’s for Perl developers and CI pipelines that need supply-chain protection against mirror tampering, re-uploaded distributions, and in-transit corruption.