node-gyp icon indicating copy to clipboard operation
node-gyp copied to clipboard
verified publisher icon nodejs

fix: replace weak hash functions with SHA-256

Open guan404ming opened this issue 6 months ago • 0 comments

Checklist
  • [x] npm install && npm run lint && npm test passes
  • [ ] tests are included
  • [ ] documentation is changed or added
  • [x] commit message follows commit guidelines
Description of change

This PR replaces weak cryptographic hash functions (MD5 and SHA1) with SHA-256 across the node-gyp codebase to improve security. The changes affect hash generation for:

  • Object ID calculation in Xcode project files
  • Intermediate file naming in Makefile generation
  • GUID generation for Visual Studio projects
  • Build rule hashing in Ninja generator

Security Impact: Addresses potential security vulnerabilities by replacing deprecated hash functions that are susceptible to collision attacks.

Performance & Functionality: No impact on build speed or functionality. All existing features work exactly the same with stronger security guarantees.

Compatibility: Maintains full backward compatibility while using modern cryptographic standards.

guan404ming avatar Jun 18 '25 09:06 guan404ming