SHA.js Hashing Library

2.4.12 · maintenance · verified Sun Apr 19

sha.js is a JavaScript library providing various Secure Hash Algorithm (SHA) implementations in pure JavaScript, primarily intended for Node.js environments but also usable in browsers via tools like Browserify. It offers implementations for SHA-0 (legacy), SHA-1 (legacy), SHA-224, SHA-256, SHA-384, and SHA-512. The package is currently at version 2.4.12, with its last publish being 9 months ago as of July 2025. While it presents a stream-like interface with `update()` and `digest()`, it's important to note it does not implement a true Node.js `stream.Writable` interface, though it allows incremental processing for large inputs without consuming excessive RAM. Its main differentiator is being a pure JavaScript implementation, making it suitable for environments where native crypto modules are unavailable or undesirable. Given its version history and the nature of cryptographic libraries, it likely follows a stable maintenance release cadence, with updates primarily for security patches or critical bug fixes rather than frequent feature additions.

Common errors

```
TypeError: shajs is not a function
```
cause Attempting to use `sha.js` as a constructor directly (e.g., `new shajs('sha256')`) when it's a factory function, or incorrectly using a named export as a default in ESM context.

fix Use `const shajs = require('sha.js')` for CommonJS. If you want a specific hash, use the factory `shajs('sha256')` or the specific constructor `new shajs.sha256()`.
```
Error: Unknown hash function: 'sha-256'
```
cause An unsupported or incorrectly cased hash algorithm name was passed to the `shajs()` factory function.

fix Ensure the hash function name matches one of the supported strings exactly: 'sha', 'sha1', 'sha224', 'sha256', 'sha384', or 'sha512'. Note that `sha-256` (with hyphen) is not supported by this library, use `sha256` (without hyphen).

Warnings

breaking SHA (SHA-0) and SHA-1 algorithms are cryptographically broken and should not be used in new systems due to severe security vulnerabilities, including collision attacks. The package explicitly marks them as 'legacy, do not use in new systems'.
Fix: Migrate to stronger algorithms like SHA-256 or SHA-512 for all cryptographic operations. For existing data, consider re-hashing with secure algorithms and updating references.
breaking A critical vulnerability (CVE-2025-9288) was discovered in `sha.js` affecting versions up to 2.4.11. This flaw allowed hash manipulation attacks due to missing input type validation, potentially leading to hash state rewinds, value miscalculation attacks (collisions), and denial-of-service. This could compromise cryptographic operations and enable unauthorized access to sensitive systems.
Fix: Immediately update to `sha.js` version 2.4.12 or newer. Conduct thorough security assessments of systems that may have been exposed to malicious hash manipulation attempts.
gotcha Despite its name and API resembling Node.js streams (e.g., `update`, `end`, `read`), `sha.js` does not implement a true `stream.Writable` or `stream.Readable` interface. While it processes data incrementally, direct piping with Node.js streams won't work without a wrapper.
Fix: If integrating with Node.js streams, wrap `sha.js` instances in a custom `stream.Writable` or `stream.Transform` implementation to bridge the interfaces.
gotcha Being a pure JavaScript implementation, `sha.js` may exhibit lower performance compared to Node.js's native `crypto` module for large data volumes or high-throughput hashing scenarios. The `crypto` module leverages highly optimized C/C++ implementations.
Fix: For performance-critical applications in Node.js, prefer the built-in `crypto` module (e.g., `crypto.createHash('sha256')`). Use `sha.js` primarily for browser environments or specific contexts where pure JavaScript is a strict requirement.

Install

npm install sha.js npm
yarn add sha.js yarn
pnpm add sha.js pnpm

Imports

shajs
wrong:
```
import shajs from 'sha.js'
```
correct:
```
const shajs = require('sha.js')
```
This package is CommonJS-only; direct ES module imports are not supported.
shajs('sha256')
wrong:
```
const hash = new shajs('sha256');
```
correct:
```
const hash = shajs('sha256');
```
The main export is a factory function for creating hash instances. Specific algorithms can also be accessed as constructors (e.g., `new shajs.sha256()`).
sha256 constructor
wrong:
```
const hash = shajs.sha256();
```
correct:
```
const hash = new shajs.sha256();
```
When accessing a specific algorithm constructor directly from the `shajs` object, the `new` keyword is required.

Quickstart

Demonstrates both the factory function and direct constructor methods for SHA hashing, including incremental updates for large data.

const shajs = require('sha.js');

// Using the factory function style
console.log('SHA-256 (factory function):');
const hashFactory = shajs('sha256');
hashFactory.update('Hello, World!');
console.log(hashFactory.digest('hex'));

// Using the constructor style
console.log('\nSHA-512 (constructor):');
const hashConstructor = new shajs.sha512();
hashConstructor.update('Hello, World!');
console.log(hashConstructor.digest('hex'));

// Example with a stream-like interface (though not a true Node.js stream)
console.log('\nSHA-256 (stream-like update/read):');
const sha256stream = shajs('sha256');
sha256stream.write('Part 1'); // Use write for incremental updates
sha256stream.end(' of Part 2'); // Final chunk via end
console.log(sha256stream.read().toString('hex')); // Get the final hash as a Buffer and convert

view raw JSON →