-
Notifications
You must be signed in to change notification settings - Fork 3k
Node FIPS support/npm #10629
Comments
@zkat is this something you can help out with ? |
I've landed npm/fs-write-stream-atomic@dfaac1b, which takes care of that. @iarna, can you either merge npm/write-file-atomic#7 and npm/unique-slug#1 and put out new versions of those, or move them into the npm organization so I can fix them? If we can get those out tomorrow, we can have a FIPS-compliant |
Were you also planning to put then into the 2.X line ? |
Yes. For now, npm LTS is taking dependency upgrades as a matter of course. |
The close came from the relevant commits landing on |
Stefan mentioned that npm/fs-write-stream-atomic@dfaac1b, landed but not the other 2 |
Hmm, looking at a few I think it looks like there were commits so I'll follow up with Stefan |
@mhdawson Looks like the relevant changes have actually made it in, for reference: npm/fs-write-stream-atomic@dfaac1b I believe this issue is fixed. Thanks @mhdawson and @othiym23 for your help! |
Yes, as far as I know the only thing in the npm dependency tree that uses MD5 at this point is |
Support for building Node in a FIPS capable mode was added a while back.
More recently effort has gone into making sure the test suite can run/pass when Node is built in FIPS capable mode. See nodejs/node#3760 opened by @stefanmb for more details.
Tests are now running in the CI in FIPS capable more as part of the regression tests (see here: https://ci.nodejs.org/job/node-test-commit-linux-fips/)
As part of this work (as rasied by @lordjabez) along with other issues it has been discovered that npm does not work when FIPS is built in FIPS capable mode (some discussion is in nodejs/node#3760)
The issue seems to be that MD5 is used by some sub-modules to generate unique values. MD5 is dis-allowed in FIPS mode. Looking at the cases were MD5 is being used it does not look like it needs to be MD5, only that it was an easy way to generate a semi-unique value. PRs have been opened to change to different algorithms. The dependent modules look to be owned by people who are part of the npm organization which is why I'm opening the issue here. The modules are:
I'm opening this issue to explain the importance of pulling these changes in and to provide a place where any necessary discussion can take place.
The text was updated successfully, but these errors were encountered: