You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I verified that the issue exists in the latest pnpm release
pnpm version
9.1.0
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Run pnpm i running on a version of nodejs with a FIPS compliant openssl
Describe the Bug
For some reason after upgrading to 9.1.0 a piece of code is being executed in the pnpm stack that creates an md5 hash using the node crypto library. For users running with FIPS compliant nodejs builds, MD5 is not an allowed hashing algorithm. FIPS allows SHA-2 or SHA-3 algorithms as they are significantly more secure than MD5. If this part of the code is simply wanting to create a hash for comparison sake, it could be done in CRC64 (faster, doesn't need openssl) or SHA-256/512 if performance is not as important.
Stack trace:
ERR_OSSL_EVP_UNSUPPORTED error:0308010C:digital envelope routines::unsupported
pnpm: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:68:19)
at Object.createHash (node:crypto:138:10)
at createBase32Hash (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:10261:58)
at depPathToFilename (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:113025:113)
at prune (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:140689:68)
at async headlessInstall (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:173344:35)
at async _install (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:181173:33)
at async mutateModules (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:181038:23)
at async recursive (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:182587:50)
at async installDeps (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:182890:11)
Verify latest release
pnpm version
9.1.0
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
Run
pnpm i
running on a version of nodejs with a FIPS compliant opensslDescribe the Bug
For some reason after upgrading to 9.1.0 a piece of code is being executed in the pnpm stack that creates an md5 hash using the node crypto library. For users running with FIPS compliant nodejs builds, MD5 is not an allowed hashing algorithm. FIPS allows SHA-2 or SHA-3 algorithms as they are significantly more secure than MD5. If this part of the code is simply wanting to create a hash for comparison sake, it could be done in CRC64 (faster, doesn't need openssl) or SHA-256/512 if performance is not as important.
Stack trace:
Line of code causing issue:
pnpm/packages/crypto.base32-hash/src/index.ts
Line 6 in fd6cd27
Expected Behavior
PNPM can be used on FIPS compliant nodejs/openssl builds.
Which Node.js version are you using?
21.7.3
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
custom
The text was updated successfully, but these errors were encountered: