fix(compiler-cli): change default ngcc hash algorithm to be FIPS compliant (#42582)
The previous default algorithm was `md5`, which is not compliant with FIPS. The default is now set to `sha256`, which is compliant. Fixes #42577 PR Close #42582
This commit is contained in:
parent
b8ef83b10f
commit
874de59d35
|
@ -28,7 +28,7 @@ export interface NgccProjectConfig<T = RawNgccPackageConfig> {
|
|||
/**
|
||||
* Name of hash algorithm used to generate hashes of the configuration.
|
||||
*
|
||||
* Defaults to `md5`.
|
||||
* Defaults to `sha256`.
|
||||
*/
|
||||
hashAlgorithm?: string;
|
||||
}
|
||||
|
@ -308,7 +308,7 @@ export class NgccConfiguration {
|
|||
|
||||
private processProjectConfig(projectConfig: NgccProjectConfig): PartiallyProcessedConfig {
|
||||
const processedConfig:
|
||||
PartiallyProcessedConfig = {packages: {}, locking: {}, hashAlgorithm: 'md5'};
|
||||
PartiallyProcessedConfig = {packages: {}, locking: {}, hashAlgorithm: 'sha256'};
|
||||
|
||||
// locking configuration
|
||||
if (projectConfig.locking !== undefined) {
|
||||
|
|
|
@ -48,9 +48,9 @@ runInEachFileSystem(() => {
|
|||
}]);
|
||||
const project1Conf = new NgccConfiguration(fs, project1);
|
||||
const expectedProject1Config =
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
|
||||
expect(project1Conf.hash)
|
||||
.toEqual(createHash('md5').update(expectedProject1Config).digest('hex'));
|
||||
.toEqual(createHash('sha256').update(expectedProject1Config).digest('hex'));
|
||||
|
||||
const project2 = _Abs('/project-2');
|
||||
const project2Config = fs.resolve(project2, 'ngcc.config.js');
|
||||
|
@ -66,18 +66,19 @@ runInEachFileSystem(() => {
|
|||
}]);
|
||||
const project2Conf = new NgccConfiguration(fs, project2);
|
||||
const expectedProject2Config =
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{"ignore":true}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{"ignore":true}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
|
||||
expect(project2Conf.hash)
|
||||
.toEqual(createHash('md5').update(expectedProject2Config).digest('hex'));
|
||||
.toEqual(createHash('sha256').update(expectedProject2Config).digest('hex'));
|
||||
});
|
||||
|
||||
it('should compute a hash even if there is no project configuration', () => {
|
||||
loadTestFiles([{name: _Abs('/project-1/empty.js'), contents: ``}]);
|
||||
const configuration = new NgccConfiguration(fs, _Abs('/project-1'));
|
||||
expect(configuration.hash)
|
||||
.toEqual(createHash('md5')
|
||||
.update(JSON.stringify({packages: {}, locking: {}, hashAlgorithm: 'md5'}))
|
||||
.digest('hex'));
|
||||
.toEqual(
|
||||
createHash('sha256')
|
||||
.update(JSON.stringify({packages: {}, locking: {}, hashAlgorithm: 'sha256'}))
|
||||
.digest('hex'));
|
||||
});
|
||||
|
||||
it('should use a custom hash algorithm if specified in the config', () => {
|
||||
|
@ -91,15 +92,15 @@ runInEachFileSystem(() => {
|
|||
packages: {
|
||||
'package-1': {entryPoints: {'./entry-point-1': {}}},
|
||||
},
|
||||
hashAlgorithm: 'sha256',
|
||||
hashAlgorithm: 'md5',
|
||||
};`
|
||||
}]);
|
||||
const project1Conf = new NgccConfiguration(fs, project1);
|
||||
const expectedProject1Config =
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
|
||||
`{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
|
||||
expect(JSON.stringify((project1Conf as any).projectConfig)).toEqual(expectedProject1Config);
|
||||
expect(project1Conf.hash)
|
||||
.toEqual(createHash('sha256').update(expectedProject1Config).digest('hex'));
|
||||
.toEqual(createHash('md5').update(expectedProject1Config).digest('hex'));
|
||||
});
|
||||
});
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ runInEachFileSystem(() => {
|
|||
beforeEach(() => {
|
||||
manifestFile = {
|
||||
ngccVersion: NGCC_VERSION,
|
||||
lockFileHash: createHash('md5').update('LOCK FILE CONTENTS').digest('hex'),
|
||||
lockFileHash: createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'),
|
||||
configFileHash: config.hash,
|
||||
entryPointPaths: []
|
||||
};
|
||||
|
@ -278,7 +278,7 @@ runInEachFileSystem(() => {
|
|||
JSON.parse(fs.readFile(_Abs('/project/node_modules/__ngcc_entry_points__.json'))) as
|
||||
EntryPointManifestFile;
|
||||
expect(file.lockFileHash)
|
||||
.toEqual(createHash('md5').update('LOCK FILE CONTENTS').digest('hex'));
|
||||
.toEqual(createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'));
|
||||
});
|
||||
|
||||
it('should write a hash of the package-lock.json file', () => {
|
||||
|
@ -288,7 +288,7 @@ runInEachFileSystem(() => {
|
|||
JSON.parse(fs.readFile(_Abs('/project/node_modules/__ngcc_entry_points__.json'))) as
|
||||
EntryPointManifestFile;
|
||||
expect(file.lockFileHash)
|
||||
.toEqual(createHash('md5').update('LOCK FILE CONTENTS').digest('hex'));
|
||||
.toEqual(createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'));
|
||||
});
|
||||
|
||||
it('should write a hash of the project config', () => {
|
||||
|
|
Loading…
Reference in New Issue