Skip to content

feat: add support for SHA-256 #10553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 19, 2025
Merged

feat: add support for SHA-256 #10553

merged 8 commits into from
Jun 19, 2025

Conversation

pgoldberg
Copy link
Contributor

Summary

Rspack doesn't support SHA-256 hashes, which makes migrating from Webpack difficult for projects that rely on SHA-256 content hashes, since it only supports MD4 and xxHash64. This PR adds support for SHA-256.

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).

@CLAassistant
Copy link

CLAassistant commented Jun 3, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the release: feature release: feature related release(mr only) label Jun 3, 2025
@netlify Netlify
Copy link

netlify bot commented Jun 3, 2025
edited
Loading

Deploy Preview for rspack canceled.

Built without sensitive environment variables

Name Link
🔨 Latest commit 8d1b855
🔍 Latest deploy log https://app.netlify.com/projects/rspack/deploys/68537419d9f4aa00081f4c89

@hardfist
Copy link
Contributor

hardfist commented Jun 3, 2025

@pgoldberg can you help explain more how the project relys on SHA-256 content hashes?

@pgoldberg
Copy link
Contributor Author

@pgoldberg can you help explain more how the project relys on SHA-256 content hashes?

Sure! I use a content-addressable storage model for serving static files from many bundles, where files from these bundles are all accessible via the same route (e.g. /assets/<SHA256>.js). This comes with the benefit of sharing a browser cache between bundles, while removing a layer of separation that would exist if we also included a bundle name in the route (e.g. /assets/<bundle-name>/<file-hash>.js).

Using a cryptographic hash, like SHA256, has made the security model of this solution easier to reason about in the event these bundles may come from several sources, because it removes the possibility of a dev constructing an intentional hash collision that allowed a file from one bundle to be injected into a different bundle. The two options provided by Rspack today, md4 and xxhash64, are both non-cryptographic hashes where it's easy to find/manufacture collisions.

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Jun 11, 2025
edited
Loading

CodSpeed Performance Report

Merging #10553 will not alter performance

Comparing pgoldberg:sha256-support (8d1b855) with main (97ce9e7)

Summary

✅ 16 untouched benchmarks

@pgoldberg
Copy link
Contributor Author

@hardfist Just wanted to nudge this one – I'm hoping to get this in for a project I'm working on. I'm happy to clarify any questions you might have about it!

@hardfist hardfist requested a review from quininer June 17, 2025 05:46
@hardfist
Copy link
Contributor

@pgoldberg thanks for your contribution, LGTM

hardfist
hardfist previously approved these changes Jun 17, 2025
View reviewed changes
@hardfist
Copy link
Contributor

@pgoldberg you also need to update the api snapshot by running ./x ae update

quininer
quininer previously approved these changes Jun 17, 2025
View reviewed changes
Copy link
Contributor

@quininer quininer left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Since we don't provide consistent output with webpack, we could use a more modern algorithm here (like blake3). but for now sha2 is good enough.

@pgoldberg pgoldberg dismissed stale reviews from quininer and hardfist via 8205528 June 18, 2025 12:37
@pgoldberg
Copy link
Contributor Author

@hardfist Thank you – just pushed that up!

@stormslowly
Copy link
Contributor

@pgoldberg i tried to fix the CI and merged main branch.
If this make you confused, sorry for that.

@hardfist hardfist enabled auto-merge (squash) June 19, 2025 03:06
@hardfist hardfist merged commit 355c1fe into web-infra-dev:main Jun 19, 2025
38 checks passed
@h-a-n-a h-a-n-a mentioned this pull request Jun 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hardfist hardfist hardfist approved these changes

@quininer quininer quininer left review comments

@jerrykingxyz jerrykingxyz Awaiting requested review from jerrykingxyz

Assignees
No one assigned
Labels
release: feature release: feature related release(mr only)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pgoldberg @CLAassistant @hardfist @stormslowly @quininer
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy