Comments (5)
LucasHillDex
commented on September 26, 2024
These are the available FIPS compliant hashing algorithms crypto.getHashes() reports.
[
'RSA-SHA1',
'RSA-SHA1-2',
'RSA-SHA224',
'RSA-SHA256',
'RSA-SHA3-224',
'RSA-SHA3-256',
'RSA-SHA3-384',
'RSA-SHA3-512',
'RSA-SHA384',
'RSA-SHA512',
'RSA-SHA512/224',
'RSA-SHA512/256',
'id-rsassa-pkcs1-v1_5-with-sha3-224',
'id-rsassa-pkcs1-v1_5-with-sha3-256',
'id-rsassa-pkcs1-v1_5-with-sha3-384',
'id-rsassa-pkcs1-v1_5-with-sha3-512',
'sha1',
'sha1WithRSAEncryption',
'sha224',
'sha224WithRSAEncryption',
'sha256',
'sha256WithRSAEncryption',
'sha3-224',
'sha3-256',
'sha3-384',
'sha3-512',
'sha384',
'sha384WithRSAEncryption',
'sha512',
'sha512-224',
'sha512-224WithRSAEncryption',
'sha512-256',
'sha512-256WithRSAEncryption',
'sha512WithRSAEncryption',
'shake128',
'shake256',
'ssl3-sha1'
]
from pnpm.
nickythorne
commented on September 26, 2024
We are FIPS compliant for our production images and this issue remains a blocker for us to use pnpm. There are refrences to createHash("md5") in various places which fail, given md5 is not a crypto compliant algorithm.
from pnpm.
taybin
commented on September 26, 2024
I'm running into this too right now, but on pnpm-8, so I don’t believe this is a new thing.
from pnpm.
dannyfreeman
commented on September 26, 2024
A workaround is to invoke pnpm through a wrapper script. This is what I'm doing
#!/usr/bin/env node
const crypto = require('node:crypto');
const path = require('node:path');
function monkeyPatch() {
const originalCreateHash = crypto.createHash;
function createHashInterceptMD5(...argv) {
if (argv[0] === 'md5') {
argv[0] = 'sha1';
}
return originalCreateHash(...argv);
}
crypto.createHash = createHashInterceptMD5;
}
monkeyPatch();
// Update this path to match your circumstances
require(path.join(__dirname, 'node_modules/.bin/pnpm'));Using another algorithm doesn't seem to hurt. I think it might effectively invalidate the pnpm store from before invoking with this wrapper. That's not a problem for my situation since I am unable to invoke pnpm without this on FIPS machines.
If a fix eventually makes its way into pnpm, it is worth considering making the hashing algorithm configurable and leave md5 as the default. Users who are lucky enough to not work on FIPS machines can keep using md5 and have their stores/caches keep working. FIPS users would have an escape hatch now, and more in the future if the algorithm they pick becomes unavailable.
from pnpm.
taybin
commented on September 26, 2024
I think having lock files with configurable hash algorithms would be bad, compared to the one time pain of incrementing the lock file version and forcing everyone onto a better algorithm.
Thanks for the moneypatch code though. I sure hope this gets fixed.
from pnpm.
Related Issues (20)
- Ability to hide/disable `Failed to replace env in config` warnings
- ERROR This project is configured to use yarn HOT 1
- Ability to install dependencies without upgrading lockfile HOT 1
- `pnpm update <package> -L` also updates packages that have nothing to do with `<package>` HOT 2
- `pnpm` does not install dependencies' bin files
- Cannot read properties of undefined (reading 'includes') HOT 2
- pnpm workspace incorrectly resolves bin exports with @org/ in package name
- JSDoc @type import doesn't work with indirect dependencies HOT 1
- Automatic installation of a direct dependency's peer dependencies doesn't yield the expected result HOT 5
- pnpm install --silent should display fatal errors HOT 3
- Overrides not supported for deep transitive dependencies
- pnpm self-update not work HOT 2
- PNPX does not respect the given package with version HOT 1
- [email protected] deploy lost the pkgs in node_modules HOT 2
- "bundledDependencies" field is not effected
- Unable to install unpublished packages in the workspace HOT 1
- pnpm 9.9.0 installs different Vite versions in a monorepo HOT 1
- postinstall script cause `file:` protocol not work properly
- Environment variable expansion is not applied array values in `.npmrc`
- Dependency fails to dedupe HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pnpm.