Skip to content

fix: replace weak hash functions with SHA-256 #3168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
guan404ming wants to merge 1 commit into from
Closed

fix: replace weak hash functions with SHA-256 #3168

guan404ming wants to merge 1 commit into from
+9 −9

Conversation

@guan404ming
Copy link

@guan404ming guan404ming commented Jun 18, 2025

Checklist
  • npm install && npm run lint && npm test passes
  • tests are included
  • documentation is changed or added
  • commit message follows commit guidelines
Description of change

This PR replaces weak cryptographic hash functions (MD5 and SHA1) with SHA-256 across the node-gyp codebase to improve security. The changes affect hash generation for:

  • Object ID calculation in Xcode project files
  • Intermediate file naming in Makefile generation
  • GUID generation for Visual Studio projects
  • Build rule hashing in Ninja generator

Security Impact: Addresses potential security vulnerabilities by replacing deprecated hash functions that are susceptible to collision attacks.

Performance & Functionality: No impact on build speed or functionality. All existing features work exactly the same with stronger security guarantees.

Compatibility: Maintains full backward compatibility while using modern cryptographic standards.

legendecas
legendecas reviewed Jun 20, 2025
View reviewed changes
Copy link
Member

@legendecas legendecas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind submitting changes in gyp/ to https://github.com/nodejs/gyp-next first? Thank you!

@guan404ming
Copy link
Author

guan404ming commented Jan 23, 2026

Here is the pr nodejs/gyp-next#329!

@guan404ming guan404ming mentioned this pull request Jan 24, 2026
Merged
@guan404ming
Copy link
Author

guan404ming commented Jan 24, 2026
edited
Loading

I've resolved the pr conflict, thanks!

@cclauss
Copy link
Contributor

cclauss commented Jan 25, 2026
edited
Loading

I believe this can be closed because it will come into this codebase on the next sync with gyp-next.

@cclauss cclauss requested a review from legendecas January 25, 2026 13:02
@legendecas
Copy link
Member

legendecas commented Jan 26, 2026

Synchronization done in #3273. Thank you for your work on this!

@legendecas legendecas closed this Jan 26, 2026
@guan404ming
Copy link
Author

guan404ming commented Jan 27, 2026

Thanks for the review and help!

@guan404ming guan404ming deleted the sha-256 branch January 27, 2026 01:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@legendecas legendecas Awaiting requested review from legendecas

Assignees

No one assigned

Labels

gyp-next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@guan404ming @cclauss @legendecas @lukekarrys