Replies: 1 comment 1 reply
-
|
What's the likelihood that a SHA-1 collision is possible such that both inputs are valid javascript code at all, let alone both being malicious code? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I am not a security expert but it seems possible, costly in time and computation. Some researcher have done it with a PDF in 2017, shouldn't be that different to do it on JS or tarball. Source: https://github.blog/2017-03-20-sha-1-collision-detection-on-github-com/ |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Knowing that SHA-1 is weak, what would prevent someone to hack into npm registry then craft a colliding file with bad code? Is it on the roadmap to replace in the near future packages published with npm < v5 and sha1 integrity with sha512?
Beta Was this translation helpful? Give feedback.
All reactions