compatibility with node-fips

[denver-HJS]

Environment

NodeJs version: v22.11.0

jiti@latest

Reproduction

(please see bug details referring to the FIPS compliant image described)

Describe the bug

I have a requirement to build my application in a FIPS compliant container, and currently that is not possible due to the use of the deprecated md5 crypto algorithm. Since, from what I can tell, this is used only for creating version hashes, I believe it'd be benign to switch to a more modern algorithm.

Container base image: Chainguard's node-fips image built with Node v22 (see here) which ships with the OpenSSL FIPS provider.

Step: 1:
Create a Dockerfile that pulls the Chainguard node-fips image, copies this project's source files into the image, and runs the test command
Step 2: Run the docker build . command

That results in an error that looks like this:

Error output

74.45 Error: error:0308010C:digital envelope routines::unsupported
74.45     at new Hash (node:internal/crypto/hash:79:19)
74.45     at createHash (node:crypto:139:10)
74.45     at md5 (/app/node_modules/jiti/dist/jiti.js:1:247005)
74.45     at opts.transform.Object.assign.Object.assign.Object.assign.legacy (/app/node_modules/jiti/dist/jiti.js:1:251648)
74.45     at transform (/app/node_modules/jiti/dist/jiti.js:1:252178)
74.45     at evalModule (/app/node_modules/jiti/dist/jiti.js:1:255358)
74.45     at jiti (/app/node_modules/jiti/dist/jiti.js:1:254371)
74.45     at /app/node_modules/tailwindcss/lib/lib/load-config.js:52:30
74.45     at loadConfig (/app/node_modules/tailwindcss/lib/lib/load-config.js:54:6)
74.45     at getTailwindConfig (/app/node_modules/tailwindcss/lib/lib/setupTrackingContext.js:71:116)
74.45     at tryRunOrWebpackError (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:312989)
74.45     at __webpack_require_module__ (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:131165)
74.45     at __nested_webpack_require_153728__ (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:130607)
74.45     at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:131454
74.45     at symbolIterator (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14444)
74.45     at done (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14824)
74.45     at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), <anonymous>:15:1)
74.45     at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:130328
74.45     at symbolIterator (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14402)
74.45     at timesSync (/app/node_modules/next/dist/compiled/neo-async/async.js:1:5027)

Additional context

I attempted to open a PR to change the utility to use the sha256 algorithm, but I do not appear to have permissions to create a branch. I think this would be pretty simple to change the md5 function to sha256 and use that argument in the Node createHash function.

Logs

No response

[pi0]

It is not a security matter for jiti's usage of md5 in cache entry paths and a false-positive in that tooling..

We cannot easily change the default hash but we can introduce an option for jiti to switch (possibly auto detecting env),

Can you please prepare a reproducable docker file I can test locally?

[denver-HJS]

Thanks for your response @pi0. It's not exactly a false positive, it's just that MD5 is not installed at all (or at least isn't made available) in order to be FIPS compliant due to it being deprecated.

If the hash is only used for cache purposes, I'm still confused why the SHA256 digest can't be used in the same way 🤔

I'll try to get a reproducable Dockerfile made available ASAP.

[pi0]

Mainly legacy decisions in jiti and if we change it will cause stall caches for lots of files for lots of users which makes chage tricky.

If we can auto detect that env, we can smartly switch though.

[pi0]

@denver-HJS I still can't reproduce since can't have access to a node-fips image with 18,20 version.