-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compatibility with node-fips #340
Comments
It is not a security matter for jiti's usage of md5 in cache entry paths and a false-positive in that tooling.. We cannot easily change the default hash but we can introduce an option for jiti to switch (possibly auto detecting env), Can you please prepare a reproducable docker file I can test locally? |
Thanks for your response @pi0. It's not exactly a false positive, it's just that MD5 is not installed at all (or at least isn't made available) in order to be FIPS compliant due to it being deprecated. If the hash is only used for cache purposes, I'm still confused why the SHA256 digest can't be used in the same way 🤔 I'll try to get a reproducable Dockerfile made available ASAP. |
Mainly legacy decisions in jiti and if we change it will cause stall caches for lots of files for lots of users which makes chage tricky. If we can auto detect that env, we can smartly switch though. |
@denver-HJS I still can't reproduce since can't have access to a node-fips image with 18,20 version. |
Just commenting to say that I too am running into this issue while trying to use Docusaurus (which uses jiti) in Chainguard's node-fips image. But I understand that it's hard to reproduce and begin to address (or even determine if it should be addressed) given the lack of publicly available FIPS image |
Environment
NodeJs version: v22.11.0
jiti@latest
Reproduction
(please see bug details referring to the FIPS compliant image described)
Describe the bug
I have a requirement to build my application in a FIPS compliant container, and currently that is not possible due to the use of the deprecated md5 crypto algorithm. Since, from what I can tell, this is used only for creating version hashes, I believe it'd be benign to switch to a more modern algorithm.
Container base image: Chainguard's node-fips image built with Node v22 (see here) which ships with the OpenSSL FIPS provider.
Step: 1:
Create a Dockerfile that pulls the Chainguard node-fips image, copies this project's source files into the image, and runs the test command
Step 2: Run the docker build . command
That results in an error that looks like this:
Error output
Additional context
I attempted to open a PR to change the utility to use the
sha256
algorithm, but I do not appear to have permissions to create a branch. I think this would be pretty simple to change themd5
function tosha256
and use that argument in the NodecreateHash
function.Logs
No response
The text was updated successfully, but these errors were encountered: