Error installing on FIPS compliant nodejs after pnpm 9.x upgrade

[LucasHillDex]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

9.1.0

Which area(s) of pnpm are affected? (leave empty if unsure)

CLI

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

Run pnpm i running on a version of nodejs with a FIPS compliant openssl

Describe the Bug

For some reason after upgrading to 9.1.0 a piece of code is being executed in the pnpm stack that creates an md5 hash using the node crypto library. For users running with FIPS compliant nodejs builds, MD5 is not an allowed hashing algorithm. FIPS allows SHA-2 or SHA-3 algorithms as they are significantly more secure than MD5. If this part of the code is simply wanting to create a hash for comparison sake, it could be done in CRC64 (faster, doesn't need openssl) or SHA-256/512 if performance is not as important.

Stack trace:

  ERR_OSSL_EVP_UNSUPPORTED  error:0308010C:digital envelope routines::unsupported

             pnpm: error:0308010C:digital envelope routines::unsupported
                 at new Hash (node:internal/crypto/hash:68:19)
                 at Object.createHash (node:crypto:138:10)
                 at createBase32Hash (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:10261:58)
                 at depPathToFilename (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:113025:113)
                 at prune (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:140689:68)
                 at async headlessInstall (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:173344:35)
                 at async _install (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:181173:33)
                 at async mutateModules (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:181038:23)
                 at async recursive (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:182587:50)
                 at async installDeps (/home/node/.cache/node/corepack/v1/pnpm/9.1.0/dist/pnpm.cjs:182890:11)

Line of code causing issue:

pnpm/packages/crypto.base32-hash/src/index.ts

Line 6 in fd6cd27

return base32.stringify(crypto.createHash('md5').update(str).digest()).replace(/(=+)$/, '').toLowerCase()

Expected Behavior

PNPM can be used on FIPS compliant nodejs/openssl builds.

Which Node.js version are you using?

21.7.3

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

custom

[LucasHillDex]

These are the available FIPS compliant hashing algorithms crypto.getHashes() reports.

[
  'RSA-SHA1',
  'RSA-SHA1-2',
  'RSA-SHA224',
  'RSA-SHA256',
  'RSA-SHA3-224',
  'RSA-SHA3-256',
  'RSA-SHA3-384',
  'RSA-SHA3-512',
  'RSA-SHA384',
  'RSA-SHA512',
  'RSA-SHA512/224',
  'RSA-SHA512/256',
  'id-rsassa-pkcs1-v1_5-with-sha3-224',
  'id-rsassa-pkcs1-v1_5-with-sha3-256',
  'id-rsassa-pkcs1-v1_5-with-sha3-384',
  'id-rsassa-pkcs1-v1_5-with-sha3-512',
  'sha1',
  'sha1WithRSAEncryption',
  'sha224',
  'sha224WithRSAEncryption',
  'sha256',
  'sha256WithRSAEncryption',
  'sha3-224',
  'sha3-256',
  'sha3-384',
  'sha3-512',
  'sha384',
  'sha384WithRSAEncryption',
  'sha512',
  'sha512-224',
  'sha512-224WithRSAEncryption',
  'sha512-256',
  'sha512-256WithRSAEncryption',
  'sha512WithRSAEncryption',
  'shake128',
  'shake256',
  'ssl3-sha1'
]