js-sha256 causes warnings, and can be safely removed (code attached)

Irys-xyz / arweave-js-sdk

JS SDK for Irys on Arweave

110 stars 95 forks source link

js-sha256 causes warnings, and can be safely removed (code attached) #90

Closed mikemaccana closed 1 year ago

mikemaccana commented 1 year ago

The js-sha256 module isn't necessary in current (last 10 years) browsers and causes warnings:

Use of eval in "node_modules/js-sha256/src/sha256.js" is strongly discouraged as it poses security risks and may cause issues with minification.

All current browsers provide SHA256 natively. See https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest

const getSHA256Hash = async (input) => {
  const textAsBuffer = new TextEncoder().encode(input);
  const hashBuffer = await window.crypto.subtle.digest("SHA-256", textAsBuffer);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  const hash = hashArray
    .map((item) => item.toString(16).padStart(2, "0"))
    .join("");
  return hash;
};

JesseTheRobot commented 1 year ago

Hey @mikemaccana thanks for the issue. Unfortunately, this is not directly solvable by us - as js-sha256 is an indirect dependency, see:

@bundlr-network/client@0.11.1
├─┬ @near-js/providers@0.0.4
│ └─┬ @near-js/transactions@0.1.0
│   └── js-sha256@0.9.0 
├─┬ @near-js/transactions@0.1.1
│ ├─┬ @near-js/signers@0.0.4
│ │ └── js-sha256@0.9.0 
│ └── js-sha256@0.9.0 
├─┬ @near-js/wallet-account@0.0.4
│ ├─┬ @near-js/accounts@0.1.1
│ │ └─┬ @near-js/transactions@0.1.0
│ │   └── js-sha256@0.9.0 
│ ├─┬ @near-js/signers@0.0.3
│ │ └── js-sha256@0.9.0 
│ └─┬ @near-js/transactions@0.1.0
│   └── js-sha256@0.9.0 
└─┬ algosdk@1.24.1
  └── js-sha256@0.9.0

mikemaccana commented 1 year ago

@JesseTheRobot understood re: plugins actually having the dependencies. Could you move to using optionalDependencies for near and algo and whatever else? Like many other users, I'm doing nothing with near or algorand. See https://betterprogramming.pub/what-are-npms-optional-dependencies-and-when-should-we-use-them-796a6a964e73 for more info.

JesseTheRobot commented 1 year ago

I can definitely look Into that, but if I recall correctly we had some issues with optional dependencies and tooling like webpack (or simply users trying to use the CLI via NPX) - I'll keep you in the loop regardless.

We do have a "split" client planned, where you only import the packages you're using, but that's still under development unfortunately.