Add support for md4 in Node >=18. #17628
Conversation
|
For maintainers only:
|
|
@snitin315 - There are a number of breaking changes between Webpack 4 and 5, making upgrading large and complex projects time-consuming. Webpack 4 currently has many more weekly downloads on npmjs.org than Webpack 5 does, but Webpack 4 only works with Node 16 and earlier because of the issue being addressed in this PR. Node 16 is EOL on 2023-09-11 (next Monday). |
|
@iclanton Shouldn't webpack upgrade be considered as the migration effort for your app to Node v18? You can anyway use |
|
@alexander-akait @snitin315 and myself discussed this further. Because Node 16 EOL is next week, we do not want our ~12 million webpack 4 consumers to be stuck with what will be flagged as a security vulnerability not updating Node. It would be ideal not to block them here. |
This was only needed for webpack 4 due to use of md4 hashes, support for which has been backported in webpack 4.47.0 removing need for use of the old/insecure Node crypto provider. See webpack/webpack#17628
|
Thanks so much for this @iclanton . I see you've been doing some work around the ecosystem to help with this. Is Line 28 in dfffd6a |
|
@chadlwilson I guess this PR by iclanton : #17659 is for the terser-webpack-plugin bump |
|
I totally missed that, thanks @Shubhanshu88 - I feel stupid now! |
This is a mostly straightforward upgrade. Just a few notes: - The lockfile format has changed so gets rewritten entirely. - webpack is bumped to the next dot release. This adds a workaround caused by Node switching to OpenSSL 3, which drops md4 as a hash function (webpack/webpack#17628). - node-sass did not build on the new node so had to be updated. - I've updated playwright to take advantage of its added support for installing dependencies on Debian, removing the hardcoded list of packages we had to install. There's a whole bunch of updates we could do to our NodeJS dependencies, but I've left that for a later point since they aren't urgent or necessarily trivial.
This is a mostly straightforward upgrade. Just a few notes: - The lockfile format has changed so gets rewritten entirely. - webpack is bumped to the next dot release. This adds a workaround caused by Node switching to OpenSSL 3, which drops md4 as a hash function (webpack/webpack#17628). - node-sass did not build on the new node so had to be updated. - I've updated playwright to take advantage of its added support for installing dependencies on Debian, removing the hardcoded list of packages we had to install. There's a whole bunch of updates we could do to our NodeJS dependencies, but I've left that for a later point since they aren't urgent or necessarily trivial.
yarn run build failed to run, due to following error:
ERROR in sharetribe-flex-sdk-web.js from Terser
Error: error:0308010C:digital envelope routines::unsupported
Read more here: webpack/webpack#14532
To fix the issue:
- Upgrade webpack to 4.47.0 (see: webpack/webpack#17628)
- Add `resolutions` block for terser-webpack-plugin until this PR is
merged (webpack/webpack#17659)
Summary
🤖 Generated by Copilot at 6f6ae98
This pull request adds WebAssembly-based md4 hashing for Node.js 18 or higher, and implements a BatchedHash class that improves the performance of hashing large data. It also refactors the createHash function and removes unused code from the createHash.js module. The changes involve adding new modules
lib/util/hash/BatchedHash.js,lib/util/hash/md4.js, andlib/util/hash/wasm-hash.js, and modifyinglib/util/createHash.js.Details
🤖 Generated by Copilot at 6f6ae98
createHash.jsmodule (link)createHash.jsmodule (link)createHash.jsmodule (link)BatchedHash.jsmodule (link)md4.jsmodule (link)wasm-hash.jsmodule (link)wasm-hash.jsmodule (link)wasm-hash.jsmodule and use it in BatchedHash class (link, link)