Fix MD5 hash algorithm to SHA256 for caching

[wisestmumbler]

What is the problem you're trying to solve?

#9177 introduced MD5 hashing which breaks on some systems/machines that check for use of more secure algorithms. Switching this out for SHA256 will be in compliance with those systems.

Understand that the MD5 in this case is not used for actual security, but these machines/rules are dumb to what crypto is actually being used for.

Note: there is definitely a performance cost with using a more secure algorithm.

What solution would you like to see?

Here's an example of pnpm's solution to the same issue: unjs/jiti#375

[ybiquitous]

@wisestmumbler Thank you for raising the issue! I didn't realize the potential problem when I introduced the MD5 hash, but this idea sounds much more reasonable. 👍🏼

Current code:

stylelint/lib/utils/hash.mjs

Lines 9 to 13 in 84f2c6b

	// Why md5?
	// - Fastest performance
	// - Sufficient collision resistance for file paths and configurations
	// - Not need cryptographic security
	return createHash('md5').update(str).digest('base64url').slice(0, 10);

Affected area:

• stylelint/lib/utils/FileCache.mjs

  Line 33 in 84f2c6b

  const cacheFile = resolve(resolveFilePath(cacheLocation, cwd, `.stylelintcache_${hash(cwd)}`));

• stylelint/lib/utils/FileCache.mjs

  Line 60 in 84f2c6b

  this._hashOfConfig = hash(`${stylelintVersion}_${configString}`);

I believe the fix impact is very low because the two hash() calls occur only once per linting run.

The fix seems straightforward: change 'md5' to 'sha256' in utils/hash.mjs.

I've labeled the issue as ready to implement. Please consider contributing if you have time.

There are steps on how to fix a bug in a rule in the Contributor guide.

[rkdfx]

Hi, I have created a PR for this bug fix (#9241). Please let me know if any change is required. Thanks!