{"id":12015,"library":"sha.js","title":"SHA.js Hashing Library","description":"sha.js is a JavaScript library providing various Secure Hash Algorithm (SHA) implementations in pure JavaScript, primarily intended for Node.js environments but also usable in browsers via tools like Browserify. It offers implementations for SHA-0 (legacy), SHA-1 (legacy), SHA-224, SHA-256, SHA-384, and SHA-512. The package is currently at version 2.4.12, with its last publish being 9 months ago as of July 2025. While it presents a stream-like interface with `update()` and `digest()`, it's important to note it does not implement a true Node.js `stream.Writable` interface, though it allows incremental processing for large inputs without consuming excessive RAM. Its main differentiator is being a pure JavaScript implementation, making it suitable for environments where native crypto modules are unavailable or undesirable. Given its version history and the nature of cryptographic libraries, it likely follows a stable maintenance release cadence, with updates primarily for security patches or critical bug fixes rather than frequent feature additions.","status":"maintenance","version":"2.4.12","language":"javascript","source_language":"en","source_url":"git://github.com/crypto-browserify/sha.js","tags":["javascript"],"install":[{"cmd":"npm install sha.js","lang":"bash","label":"npm"},{"cmd":"yarn add sha.js","lang":"bash","label":"yarn"},{"cmd":"pnpm add sha.js","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is CommonJS-only; direct ES module imports are not supported.","wrong":"import shajs from 'sha.js'","symbol":"shajs","correct":"const shajs = require('sha.js')"},{"note":"The main export is a factory function for creating hash instances. Specific algorithms can also be accessed as constructors (e.g., `new shajs.sha256()`).","wrong":"const hash = new shajs('sha256');","symbol":"shajs('sha256')","correct":"const hash = shajs('sha256');"},{"note":"When accessing a specific algorithm constructor directly from the `shajs` object, the `new` keyword is required.","wrong":"const hash = shajs.sha256();","symbol":"sha256 constructor","correct":"const hash = new shajs.sha256();"}],"quickstart":{"code":"const shajs = require('sha.js');\n\n// Using the factory function style\nconsole.log('SHA-256 (factory function):');\nconst hashFactory = shajs('sha256');\nhashFactory.update('Hello, World!');\nconsole.log(hashFactory.digest('hex'));\n\n// Using the constructor style\nconsole.log('\\nSHA-512 (constructor):');\nconst hashConstructor = new shajs.sha512();\nhashConstructor.update('Hello, World!');\nconsole.log(hashConstructor.digest('hex'));\n\n// Example with a stream-like interface (though not a true Node.js stream)\nconsole.log('\\nSHA-256 (stream-like update/read):');\nconst sha256stream = shajs('sha256');\nsha256stream.write('Part 1'); // Use write for incremental updates\nsha256stream.end(' of Part 2'); // Final chunk via end\nconsole.log(sha256stream.read().toString('hex')); // Get the final hash as a Buffer and convert","lang":"javascript","description":"Demonstrates both the factory function and direct constructor methods for SHA hashing, including incremental updates for large data."},"warnings":[{"fix":"Migrate to stronger algorithms like SHA-256 or SHA-512 for all cryptographic operations. For existing data, consider re-hashing with secure algorithms and updating references.","message":"SHA (SHA-0) and SHA-1 algorithms are cryptographically broken and should not be used in new systems due to severe security vulnerabilities, including collision attacks. The package explicitly marks them as 'legacy, do not use in new systems'.","severity":"breaking","affected_versions":"all"},{"fix":"Immediately update to `sha.js` version 2.4.12 or newer. Conduct thorough security assessments of systems that may have been exposed to malicious hash manipulation attempts.","message":"A critical vulnerability (CVE-2025-9288) was discovered in `sha.js` affecting versions up to 2.4.11. This flaw allowed hash manipulation attacks due to missing input type validation, potentially leading to hash state rewinds, value miscalculation attacks (collisions), and denial-of-service. This could compromise cryptographic operations and enable unauthorized access to sensitive systems.","severity":"breaking","affected_versions":"<=2.4.11"},{"fix":"If integrating with Node.js streams, wrap `sha.js` instances in a custom `stream.Writable` or `stream.Transform` implementation to bridge the interfaces.","message":"Despite its name and API resembling Node.js streams (e.g., `update`, `end`, `read`), `sha.js` does not implement a true `stream.Writable` or `stream.Readable` interface. While it processes data incrementally, direct piping with Node.js streams won't work without a wrapper.","severity":"gotcha","affected_versions":"all"},{"fix":"For performance-critical applications in Node.js, prefer the built-in `crypto` module (e.g., `crypto.createHash('sha256')`). Use `sha.js` primarily for browser environments or specific contexts where pure JavaScript is a strict requirement.","message":"Being a pure JavaScript implementation, `sha.js` may exhibit lower performance compared to Node.js's native `crypto` module for large data volumes or high-throughput hashing scenarios. The `crypto` module leverages highly optimized C/C++ implementations.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Use `const shajs = require('sha.js')` for CommonJS. If you want a specific hash, use the factory `shajs('sha256')` or the specific constructor `new shajs.sha256()`.","cause":"Attempting to use `sha.js` as a constructor directly (e.g., `new shajs('sha256')`) when it's a factory function, or incorrectly using a named export as a default in ESM context.","error":"TypeError: shajs is not a function"},{"fix":"Ensure the hash function name matches one of the supported strings exactly: 'sha', 'sha1', 'sha224', 'sha256', 'sha384', or 'sha512'. Note that `sha-256` (with hyphen) is not supported by this library, use `sha256` (without hyphen).","cause":"An unsupported or incorrectly cased hash algorithm name was passed to the `shajs()` factory function.","error":"Error: Unknown hash function: 'sha-256'"}],"ecosystem":"npm"}