diff --git a/tools/gyp/CHANGELOG.md b/tools/gyp/CHANGELOG.md index 31f4d258746885..9a1468544752c1 100644 --- a/tools/gyp/CHANGELOG.md +++ b/tools/gyp/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [0.21.1](https://github.com/nodejs/gyp-next/compare/v0.21.0...v0.21.1) (2026-01-24) + + +### Bug Fixes + +* replace weak hash functions with SHA-256 ([#329](https://github.com/nodejs/gyp-next/issues/329)) ([958029e](https://github.com/nodejs/gyp-next/commit/958029e6e4969a871d15e78cd083bb102bebb381)) + ## [0.21.0](https://github.com/nodejs/gyp-next/compare/v0.20.5...v0.21.0) (2025-11-04) diff --git a/tools/gyp/pylib/gyp/MSVSNew.py b/tools/gyp/pylib/gyp/MSVSNew.py index f8e4993d94cdfb..9149f404a5ade1 100644 --- a/tools/gyp/pylib/gyp/MSVSNew.py +++ b/tools/gyp/pylib/gyp/MSVSNew.py @@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"): Args: name: Target name. - seed: Seed for MD5 hash. + seed: Seed for SHA-256 hash. Returns: A GUID-line string calculated from the name and seed. @@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"): determine the GUID to refer to explicitly. It also means that the GUID will not change when the project for a target is rebuilt. """ - # Calculate a MD5 signature for the seed and name. - d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper() + # Calculate a SHA-256 signature for the seed and name. + d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper() # Convert most of the signature to GUID form (discard the rest) guid = ( "{" diff --git a/tools/gyp/pylib/gyp/generator/make.py b/tools/gyp/pylib/gyp/generator/make.py index 5f30f39fc503e5..16b6f4e80b119a 100644 --- a/tools/gyp/pylib/gyp/generator/make.py +++ b/tools/gyp/pylib/gyp/generator/make.py @@ -2169,7 +2169,7 @@ def WriteMakeRule( # - The multi-output rule will have an do-nothing recipe. # Hash the target name to avoid generating overlong filenames. - cmddigest = hashlib.sha1( + cmddigest = hashlib.sha256( (command or self.target).encode("utf-8") ).hexdigest() intermediate = "%s.intermediate" % cmddigest diff --git a/tools/gyp/pylib/gyp/generator/ninja.py b/tools/gyp/pylib/gyp/generator/ninja.py index bc9ddd26545e9d..4eac6cdb2707d7 100644 --- a/tools/gyp/pylib/gyp/generator/ninja.py +++ b/tools/gyp/pylib/gyp/generator/ninja.py @@ -809,9 +809,8 @@ def cygwin_munge(path): outputs = [self.GypPathToNinja(o, env) for o in outputs] if self.flavor == "win": # WriteNewNinjaRule uses unique_name to create a rsp file on win. - extra_bindings.append( - ("unique_name", hashlib.md5(outputs[0]).hexdigest()) - ) + unique_name = hashlib.sha256(outputs[0].encode("utf-8")).hexdigest() + extra_bindings.append(("unique_name", unique_name)) self.ninja.build( outputs, @@ -2803,7 +2802,7 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params, config_name build_file, name, toolset ) qualified_target_for_hash = qualified_target_for_hash.encode("utf-8") - hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest() + hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest() base_path = os.path.dirname(build_file) obj = "obj" diff --git a/tools/gyp/pylib/gyp/xcodeproj_file.py b/tools/gyp/pylib/gyp/xcodeproj_file.py index cb467470d3044b..2004518dcbce91 100644 --- a/tools/gyp/pylib/gyp/xcodeproj_file.py +++ b/tools/gyp/pylib/gyp/xcodeproj_file.py @@ -429,7 +429,7 @@ def _HashUpdate(hash, data): hash.update(data) if seed_hash is None: - seed_hash = hashlib.sha1() + seed_hash = hashlib.sha256() hash = seed_hash.copy() diff --git a/tools/gyp/pyproject.toml b/tools/gyp/pyproject.toml index cd4f0383fd37c7..fa30c8cf96da6f 100644 --- a/tools/gyp/pyproject.toml +++ b/tools/gyp/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "gyp-next" -version = "0.21.0" +version = "0.21.1" authors = [ { name="Node.js contributors", email="ryzokuken@disroot.org" }, ]