Replies: 1 comment 1 reply
-
|
What's the likelihood that a SHA-1 collision is possible such that both inputs are valid javascript code at all, let alone both being malicious code? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I am not a security expert but it seems possible, costly in time and computation. Some researcher have done it with a PDF in 2017, shouldn't be that different to do it on JS or tarball. Source: https://github.blog/2017-03-20-sha-1-collision-detection-on-github-com/ |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Knowing that SHA-1 is weak, what would prevent someone to hack into npm registry then craft a colliding file with bad code? Is it on the roadmap to replace in the near future packages published with npm < v5 and sha1 integrity with sha512?
Beta Was this translation helpful? Give feedback.
All reactions