Skip to content
This repository was archived by the owner on Feb 19, 2026. It is now read-only.

Use sha1, instead of md5#191

Merged
lovell merged 2 commits intoprebuild:masterfrom
szubster:master
Feb 29, 2024
Merged

Use sha1, instead of md5#191
lovell merged 2 commits intoprebuild:masterfrom
szubster:master

Conversation

@szubster
Copy link
Copy Markdown
Contributor

@szubster szubster commented Jan 24, 2024

This allows prebuild-install to be used on fips systems

@szubster
Use sha1, instead of md5
81ae938 
This allows prebuild-install to be used on fips systems
@pasieronen
Copy link
Copy Markdown

pasieronen commented Feb 2, 2024

Just ran into the same issue this week - your fix looks good to me!

@karolkalinski
Copy link
Copy Markdown

karolkalinski commented Feb 19, 2024

I have had the same issue when working with sharp-js library. Is there a chnace that this PR would be approved? cc: @vweevers

@krethh
Copy link
Copy Markdown

krethh commented Feb 19, 2024
edited
Loading

@lovell Any chance we could get this merged? I'm also running into the same issue. FIPS-compliant systems ban the use of MD5 altogether so any libraries which have prebuild-install as a dependency will not build.

@lovell lovell added the semver-major Changes that break backward compatibility label Feb 19, 2024
@lovell
Copy link
Copy Markdown
Member

lovell commented Feb 19, 2024

For those using sharp please upgrade as the latest version no longer depends on prebuild-install.

lovell
lovell reviewed Feb 19, 2024
View reviewed changes
Comment thread util.js Outdated
lovell
lovell approved these changes Feb 20, 2024
View reviewed changes
Comment thread util.js

function cachedPrebuild (url) {
const digest = crypto.createHash('md5').update(url).digest('hex').slice(0, 6)
const digest = crypto.createHash('sha512').update(url).digest('hex').slice(0, 6)
Copy link
Copy Markdown
Member

@lovell lovell Feb 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the reason for not using an MD5 hash under the rules of FIPS is its predictability and therefore increased chance of collision then the subsequent use of slice(0, 6) negates hash choice anyway. 😅

Copy link
Copy Markdown
Contributor Author

@szubster szubster Feb 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it doesn't much matter in the end. This code will not be running as part of the system, only during build.
At the same time, node unfortunately, does not have an equivalent of usedforsecurity parameter from python's hashlib

@lovell lovell added semver-patch Bug fixes that are backward compatible and removed semver-major Changes that break backward compatibility labels Feb 20, 2024
@lovell
Copy link
Copy Markdown
Member

lovell commented Feb 20, 2024

I originally tagged this as semver-major but given cache filesystem layout isn't really part of the external API we can probably release this under semver-patch and reduce ecosystem upgrade churn. I'm going to leave this PR for a few days in case other maintainers have thoughts around this.

@szubster
Copy link
Copy Markdown
Contributor Author

szubster commented Feb 27, 2024

Ready to merge? :)

@lovell lovell merged commit 9140468 into prebuild:master Feb 29, 2024
@lovell
Copy link
Copy Markdown
Member

lovell commented Feb 29, 2024

7.1.2 now available

@admin-token-bot admin-token-bot mentioned this pull request Sep 15, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@lovell lovell lovell approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

semver-patch Bug fixes that are backward compatible

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@szubster @pasieronen @karolkalinski @krethh @lovell