'Use of sha1 and md5 in integrity of package in yarn.lock
Since md2, md5, sha1 hashing mechanisms are deprecated for iOS 13 and are not considered safe.
Why are we having it in integrity in dependencies in yarn.lock file.
"@types/redux-thunk@^2.1.0":
version "2.1.0"
resolved "https://registry.yarnpkg.com/@types/redux-thunk/-/redux-thunk-2.1.0........"
integrity sha1-vCtulylhgxr7gq.......
dependencies:
redux-thunk "*"
Is it safe to use for development?
Solution 1:[1]
Why are we having [SHA1] in integrity in dependencies in yarn.lock file.
Because not all packages have sha512 integrity hashes available. New(er) packages do, older packages might not.
Is it safe to use for development?
Yes, I'd say so. I think it's very, very unlikely that anyone could concoct a malicious package file that would both be a valid package and have a SHA1 hash collision with the original.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | AKX |