Use of sha1 and md5 in integrity of package in yarn.lock

Question

Since md2, md5, sha1 hashing mechanisms are deprecated for iOS 13 and are not considered safe.

Why are we having it in integrity in dependencies in yarn.lock file.

"@types/redux-thunk@^2.1.0":
  version "2.1.0"
  resolved "https://registry.yarnpkg.com/@types/redux-thunk/-/redux-thunk-2.1.0........"
  integrity sha1-vCtulylhgxr7gq.......
  dependencies:
    redux-thunk "*"

Is it safe to use for development?

As an aside, depending on the version of `redux-thunk` you're running, you shouldn't need that package – it's [deprecated](https://www.npmjs.com/package/@types/redux-thunk) — AKX, Mar 09 '22 at 12:54

score 0 · Answer 1 · answered Mar 09 '22 at 12:52

Why are we having [SHA1] in integrity in dependencies in yarn.lock file.

Because not all packages have sha512 integrity hashes available. New(er) packages do, older packages might not.

Is it safe to use for development?

Yes, I'd say so. I think it's very, very unlikely that anyone could concoct a malicious package file that would both be a valid package and have a SHA1 hash collision with the original.

Use of sha1 and md5 in integrity of package in yarn.lock

1 Answers1