compatibility with node-fips

[denver-HJS]

Environment

NodeJs version: v22.11.0

jiti@latest

Reproduction

(please see bug details referring to the FIPS compliant image described)

Describe the bug

I have a requirement to build my application in a FIPS compliant container, and currently that is not possible due to the use of the deprecated md5 crypto algorithm. Since, from what I can tell, this is used only for creating version hashes, I believe it'd be benign to switch to a more modern algorithm.

Container base image: Chainguard's node-fips image built with Node v22 (see here) which ships with the OpenSSL FIPS provider.

Step: 1:
Create a Dockerfile that pulls the Chainguard node-fips image, copies this project's source files into the image, and runs the test command
Step 2: Run the docker build . command

That results in an error that looks like this:

Error output

74.45 Error: error:0308010C:digital envelope routines::unsupported
74.45     at new Hash (node:internal/crypto/hash:79:19)
74.45     at createHash (node:crypto:139:10)
74.45     at md5 (/app/node_modules/jiti/dist/jiti.js:1:247005)
74.45     at opts.transform.Object.assign.Object.assign.Object.assign.legacy (/app/node_modules/jiti/dist/jiti.js:1:251648)
74.45     at transform (/app/node_modules/jiti/dist/jiti.js:1:252178)
74.45     at evalModule (/app/node_modules/jiti/dist/jiti.js:1:255358)
74.45     at jiti (/app/node_modules/jiti/dist/jiti.js:1:254371)
74.45     at /app/node_modules/tailwindcss/lib/lib/load-config.js:52:30
74.45     at loadConfig (/app/node_modules/tailwindcss/lib/lib/load-config.js:54:6)
74.45     at getTailwindConfig (/app/node_modules/tailwindcss/lib/lib/setupTrackingContext.js:71:116)
74.45     at tryRunOrWebpackError (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:312989)
74.45     at __webpack_require_module__ (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:131165)
74.45     at __nested_webpack_require_153728__ (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:130607)
74.45     at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:131454
74.45     at symbolIterator (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14444)
74.45     at done (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14824)
74.45     at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), <anonymous>:15:1)
74.45     at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:130328
74.45     at symbolIterator (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14402)
74.45     at timesSync (/app/node_modules/next/dist/compiled/neo-async/async.js:1:5027)

Additional context

I attempted to open a PR to change the utility to use the sha256 algorithm, but I do not appear to have permissions to create a branch. I think this would be pretty simple to change the md5 function to sha256 and use that argument in the Node createHash function.

Logs

No response

[pi0]

It is not a security matter for jiti's usage of md5 in cache entry paths and a false-positive in that tooling..

We cannot easily change the default hash but we can introduce an option for jiti to switch (possibly auto detecting env),

Can you please prepare a reproducable docker file I can test locally?

[denver-HJS]

Thanks for your response @pi0. It's not exactly a false positive, it's just that MD5 is not installed at all (or at least isn't made available) in order to be FIPS compliant due to it being deprecated.

If the hash is only used for cache purposes, I'm still confused why the SHA256 digest can't be used in the same way 🤔

I'll try to get a reproducable Dockerfile made available ASAP.

[pi0]

Mainly legacy decisions in jiti and if we change it will cause stall caches for lots of files for lots of users which makes chage tricky.

If we can auto detect that env, we can smartly switch though.

[pi0]

@denver-HJS I still can't reproduce since can't have access to a node-fips image with 18,20 version.

[tuckergordon]

Just commenting to say that I too am running into this issue while trying to use Docusaurus (which uses jiti) in Chainguard's node-fips image. But I understand that it's hard to reproduce and begin to address (or even determine if it should be addressed) given the lack of publicly available FIPS image

[tuckergordon]

Worth noting that even pnpm install will fail inside the chainguard FIPS container because pnpm 9.x (which this project uses) isn't FIPS compliant: pnpm/pnpm#8070

However it seems like that is fixed in the newly-released pnpm v10: https://en.kelen.cc/share/pnpm-v10-update-highlights

Not actually a solution to the issue, but figured it was worth mentioning since I ran into it while trying to run this down / come up with a workaround

[pi0]

Can't progress on this without access to a runnable image.

If you can provide a oneliner snippet that can stabily detect FIPS builds (maybe process.versions can have some hints), I can move it forward.

[tuckergordon]

Found a public FIPS image that I was able to reproduce the issue with. Here's a simple Dockerfile:

FROM filigran/python-nodejs-fips:latest

RUN mkdir /app

WORKDIR /app

RUN npm install jiti

RUN touch foo.ts

RUN echo "import { createJiti } from 'jiti'; createJiti(import.meta.url).import('./foo.ts');" > script.mjs

RUN node --enable-fips script.mjs

Which produces this error on build:

#10 [7/7] RUN node --enable-fips script.mjs
#10 0.849 node:internal/crypto/hash:68
#10 0.849   this[kHandle] = new _Hash(algorithm, xofLen);
#10 0.849                   ^
#10 0.849 
#10 0.849 Error: error:0308010C:digital envelope routines::unsupported
#10 0.849     at new Hash (node:internal/crypto/hash:68:19)
#10 0.849     at createHash (node:crypto:138:10)
#10 0.849     at md5 (/app/node_modules/jiti/dist/jiti.cjs:1:184484)
#10 0.849     at getCache (/app/node_modules/jiti/dist/jiti.cjs:1:190693)
#10 0.849     at transform (/app/node_modules/jiti/dist/jiti.cjs:1:192685)
#10 0.849     at eval_evalModule (/app/node_modules/jiti/dist/jiti.cjs:1:194014)
#10 0.849     at jitiRequire (/app/node_modules/jiti/dist/jiti.cjs:1:190233)
#10 0.849     at Function.import (/app/node_modules/jiti/dist/jiti.cjs:1:199778)
#10 0.849     at file:///app/script.mjs:1:70
#10 0.849     at ModuleJob.run (node:internal/modules/esm/module_job:218:25) {
#10 0.849   opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
#10 0.849   library: 'digital envelope routines',
#10 0.849   reason: 'unsupported',
#10 0.849   code: 'ERR_OSSL_EVP_UNSUPPORTED'
#10 0.849 }
#10 0.849 
#10 0.849 Node.js v20.11.1
#10 ERROR: process "/bin/sh -c node --enable-fips script.mjs" did not complete successfully: exit code: 1

Then I changed createHash("md5") to createHash("sha256") and built/packed jiti and it ran successfully:

FROM filigran/python-nodejs-fips:latest

RUN mkdir /app

WORKDIR /app

COPY ./jiti-2.4.2.tgz /app

RUN npm install ./jiti-2.4.2.tgz

RUN touch foo.ts

RUN echo "import { createJiti } from 'jiti'; createJiti(import.meta.url).import('./foo.ts');" > script.mjs

RUN node --enable-fips script.mjs

[bendudz]

It is not a security matter for jiti's usage of md5 in cache entry paths and a false-positive in that tooling..

It’s a shame Node’s crypto lib doesn’t have the same Used for Security mechanism as python.

Would it be possible to leave the default as md5 but open up an interface to allow any valid hash algo to be passed in?

[pi0]

we can make jiti to auto switch to different hash. I still have to try @tuckergordon shared image but if anyone intrested to move it forward, it should be a straight forward change in here