Support for Red Hat Enterprise Linux 8 and FIPS

[dirtyharrycallahan]

On a RHEL 8 machines with node v18.18.2 and verdaccio 5.31.0 npm installs fail with 500. Looking at the log reveals calls to stringToMD5.
There seem to be two places where stringToMD5 is called. The first being in the email gravatar. Disabling web gravatars reveals the second place where stringToMD5 is called and that is in the generation of the etag. Modifying crypto utils to change md5 to sha1 results in successful npm i. Are there any plans to replace weak MD5 hash with a FIPS compliant hash?

node -p 'crypto.getFips()'
1

[juanpicado]

Are there any plans to replace weak MD5 hash with a FIPS compliant hash?

Whatever improve this software and does not break others installations is always very welcome 👍🏼 since seems you have already a solution, feel free give it a try.

The first being in the email gravatar.

Indeed could be disable if you don't use it, but seems like should use md5

https://stackoverflow.com/questions/28212836/how-to-decrypt-a-gravatar-hash-into-real-email-address