Since this issue has no description, I'm not sure if you're referring to the node-sha1 package specifically, or the fact that we're using SHA1 at all. To be clear, we do not use SHA1 for authentication at all— just to generate a well-distributed set of large integers for computing percentage rollouts of users.
We have been using a pretty old version of node-sha1 to do this, but since that package is really just a simple wrapper for Node's crypto, we can probably just drop that dependency rather than upgrading it. But we do need to continue using the SHA1 algorithm so customers will not suddenly start seeing different results for percentage rollouts.
Since this issue has no description, I'm not sure if you're referring to the
node-sha1
package specifically, or the fact that we're using SHA1 at all. To be clear, we do not use SHA1 for authentication at all— just to generate a well-distributed set of large integers for computing percentage rollouts of users.We have been using a pretty old version of
node-sha1
to do this, but since that package is really just a simple wrapper for Node'scrypto
, we can probably just drop that dependency rather than upgrading it. But we do need to continue using the SHA1 algorithm so customers will not suddenly start seeing different results for percentage rollouts.