fix: replace weak hash functions with SHA-256

Wesley Chiu · guan404ming · commit eb6680a881f6 · 2026-01-25T01:00:18.000+08:00
diff --git a/gyp/pylib/gyp/MSVSNew.py b/gyp/pylib/gyp/MSVSNew.py
@@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"):
 
     Args:
       name: Target name.
-      seed: Seed for MD5 hash.
+      seed: Seed for SHA-256 hash.
     Returns:
       A GUID-line string calculated from the name and seed.
 
@@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"):
     determine the GUID to refer to explicitly.  It also means that the GUID will
     not change when the project for a target is rebuilt.
     """
-    # Calculate a MD5 signature for the seed and name.
-    d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
+    # Calculate a SHA-256 signature for the seed and name.
+    d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
     # Convert most of the signature to GUID form (discard the rest)
     guid = (
         "{"
diff --git a/gyp/pylib/gyp/generator/make.py b/gyp/pylib/gyp/generator/make.py
@@ -2169,7 +2169,7 @@ def WriteMakeRule(
             # - The multi-output rule will have an do-nothing recipe.
 
             # Hash the target name to avoid generating overlong filenames.
-            cmddigest = hashlib.sha1(
+            cmddigest = hashlib.sha256(
                 (command or self.target).encode("utf-8")
             ).hexdigest()
             intermediate = "%s.intermediate" % cmddigest
diff --git a/gyp/pylib/gyp/generator/ninja.py b/gyp/pylib/gyp/generator/ninja.py
@@ -810,7 +810,7 @@ def cygwin_munge(path):
                 if self.flavor == "win":
                     # WriteNewNinjaRule uses unique_name to create a rsp file on win.
                     extra_bindings.append(
-                        ("unique_name", hashlib.md5(outputs[0]).hexdigest())
+                        ("unique_name", hashlib.sha256(outputs[0].encode("utf-8")).hexdigest())
                     )
 
                 self.ninja.build(
@@ -2803,7 +2803,7 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params, config_name
             build_file, name, toolset
         )
         qualified_target_for_hash = qualified_target_for_hash.encode("utf-8")
-        hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest()
+        hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest()
 
         base_path = os.path.dirname(build_file)
         obj = "obj"
diff --git a/gyp/pylib/gyp/xcodeproj_file.py b/gyp/pylib/gyp/xcodeproj_file.py
@@ -429,7 +429,7 @@ def _HashUpdate(hash, data):
             hash.update(data)
 
         if seed_hash is None:
-            seed_hash = hashlib.sha1()
+            seed_hash = hashlib.sha256()
 
         hash = seed_hash.copy()
 
@@ -452,8 +452,8 @@ def _HashUpdate(hash, data):
                 child.ComputeIDs(recursive, overwrite, child_hash)
 
         if overwrite or self.id is None:
-            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-1 digest is
-            # is 160 bits.  Instead of throwing out 64 bits of the digest, xor them
+            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-256 digest is
+            # is 256 bits.  Instead of throwing out bits of the digest, xor them
             # into the portion that gets used.
             assert hash.digest_size % 4 == 0
             digest_int_count = hash.digest_size // 4
