{"id":14615,"library":"hash.js","title":"Various Hash Functions (SHA1, SHA256, HMAC)","description":"hash.js is a lightweight JavaScript library providing implementations for various cryptographic hash functions, including SHA1, SHA224, SHA256, SHA512, and HMAC, designed to run consistently in both browser and Node.js environments. The current stable version is 1.1.7. This package distinguishes itself by offering pure JavaScript implementations, making it suitable for environments where native cryptographic modules are unavailable or undesirable. However, its last significant update was approximately seven years ago, meaning it is largely unmaintained. Due to its age, it does not officially support ES Modules directly and may not benefit from modern cryptographic optimizations or security reviews that more actively developed libraries or Node.js's native `crypto` module receive. Developers should exercise caution and critically evaluate its suitability for new security-sensitive applications.","status":"abandoned","version":"1.1.7","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/indutny/hash.js","tags":["javascript","hash","sha256","sha224","hmac","typescript"],"install":[{"cmd":"npm install hash.js","lang":"bash","label":"npm"},{"cmd":"yarn add hash.js","lang":"bash","label":"yarn"},{"cmd":"pnpm add hash.js","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Utility for JavaScript's prototypal inheritance model.","package":"inherits","optional":false},{"reason":"Provides the RIPEMD160 hash algorithm implementation.","package":"ripemd160","optional":false}],"imports":[{"note":"The top-level package exports an object containing constructors for various hash algorithms. In ESM, import as a namespace or use named exports if available. CommonJS uses `require()` for the module object.","wrong":"import hash from 'hash.js'; // Default import is not the primary export","symbol":"hash","correct":"import * as hash from 'hash.js'; // For ESM\nconst hash = require('hash.js'); // For CommonJS"},{"note":"Individual hash algorithms are often imported directly from their specific paths for selective use and potential tree-shaking benefits. While TypeScript types might infer a root export, direct pathing is safer for older CJS structures.","wrong":"import { sha256 } from 'hash.js'; // Not directly exported from root in older versions","symbol":"sha256","correct":"import { sha256 } from 'hash.js/lib/hash/sha/256'; // For ESM\nconst sha256 = require('hash.js/lib/hash/sha/256'); // For CommonJS"},{"note":"HMAC functionality is available either via direct named import if types support it, or by requiring its specific CommonJS module path.","wrong":"import Hmac from 'hash.js/lib/hmac'; // Not a default export","symbol":"Hmac","correct":"import { Hmac } from 'hash.js'; // For ESM with type definitions\nconst Hmac = require('hash.js/lib/hmac'); // For CommonJS"}],"quickstart":{"code":"import * as hash from 'hash.js';\nimport { sha512 } from 'hash.js/lib/hash/sha/512';\n\n// Example 1: Using the main hash.js export for SHA256\nconst dataToHash1 = 'Hello, Checklist Day!';\nconst sha256Hash = hash.sha256().update(dataToHash1).digest('hex');\nconsole.log(`SHA256 Hash of '${dataToHash1}': ${sha256Hash}`);\n\n// Example 2: Using selective import for SHA512\nconst dataToHash2 = 'Another piece of text to hash securely.';\nconst sha512Hash = sha512().update(dataToHash2).digest('hex');\nconsole.log(`SHA512 Hash of '${dataToHash2}': ${sha512Hash}`);\n\n// Example 3: Using HMAC with SHA256\nconst secretKey = 'my-super-secret-key';\nconst message = 'The quick brown fox jumps over the lazy dog';\nconst hmacSha256 = hash.hmac(hash.sha256, secretKey).update(message).digest('hex');\nconsole.log(`HMAC-SHA256 of '${message}' with key '${secretKey}': ${hmacSha256}`);\n\n// For demonstration purposes with environment variable (e.g., for API keys)\nconst apiKey = process.env.API_KEY ?? 'default-fallback-api-key';\nconst sensitiveData = `User info: ${apiKey}`;\nconst hashOfSensitiveData = hash.sha1().update(sensitiveData).digest('hex');\nconsole.log(`SHA1 Hash of sensitive data (using API_KEY): ${hashOfSensitiveData.substring(0, 20)}...`);","lang":"typescript","description":"Demonstrates how to import and use various hash functions (SHA256, SHA512, HMAC) from `hash.js`, including both main and selective module imports, in a TypeScript environment."},"warnings":[{"fix":"Migrate to Node.js built-in `crypto` module (e.g., `require('crypto').createHash('sha256')`) or a well-maintained third-party cryptographic library.","message":"This package is effectively abandoned with no new releases or active maintenance since 2017. Its cryptographic implementations may not receive updates for newly discovered vulnerabilities or performance improvements. For security-critical applications, consider actively maintained alternatives or Node.js's native `crypto` module.","severity":"breaking","affected_versions":">=1.1.0"},{"fix":"When using in an ESM project, prefer `import * as hash from 'hash.js'` for the main entry point, and `import { specificHash } from 'hash.js/lib/hash/specific/path'` for individual algorithms. Ensure your build setup correctly handles CJS interoperability.","message":"The package primarily uses CommonJS (CJS) module syntax. While modern Node.js environments can import CJS packages into ES Modules (ESM) projects, direct named imports from the root package might behave unexpectedly. Selective imports via full paths (e.g., `hash.js/lib/hash/sha/256`) are more reliable for specific algorithms.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always prefer stronger algorithms like SHA-256 or SHA-512 for new implementations. Consult current cryptographic best practices for algorithm selection.","message":"Older hash algorithms like SHA-1, while available, are considered cryptographically weak for many modern security applications due to demonstrated vulnerabilities and collision attacks. Using them for new authentication, digital signatures, or integrity checks is strongly discouraged.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Ensure the import is correct: `const hash = require('hash.js'); hash.sha256()...` for CJS, or `import * as hash from 'hash.js'; hash.sha256()...` for ESM. For individual algorithms, use direct path imports: `const sha256 = require('hash.js/lib/hash/sha/256'); sha256()...` or `import { sha256 } from 'hash.js/lib/hash/sha/256'; sha256()...`","cause":"Attempting to call a hash function directly on a module imported as a namespace in CommonJS when the module's structure expects it to be accessed as a property, or if the main import doesn't expose all algorithms directly in ESM.","error":"TypeError: hash.sha256 is not a function"},{"fix":"Double-check the exact path to the algorithm module. Ensure your bundler or Node.js environment is configured to correctly resolve modules from `node_modules` and sub-paths, especially in mixed CJS/ESM projects.","cause":"Incorrect file path for selective algorithm import, or module resolution issues in an unusual environment/bundler setup.","error":"Error: Cannot find module 'hash.js/lib/hash/sha/512'"}],"ecosystem":"npm"}