Drop dependencies in favour of native crypto functionality

[michaelbromley]

We use a number of dependencies which can be dropped and replaced with built-in cryptographic functionality that is now part of Node/web platform:

• remove sha.js (use crypto Web API instead) refactor: replace uuid with native Crypto API #11769
• remove uuid in favour of builtin crypto module
• replace built-in hashing function with builtin crypto module

[pleerock]

It's not related to crypto, but since we are talking about dropping external deps here, I strongly recommend to drop require for "buffer". The reason is obvious - its a shim and shouldn't be required by TypeORM.

The real problem comes when your platform doesn't support buffer, and you are tying to use a different buffer shim (e.g. react-native-buffer in my case - which has more features. For example, buffer shim that is currently used by TypeORM doesn't support base64url encoding. And another shim is being overridden by TypeORM's buffer shim which is not good.

[pleerock]

also when dropping crypto - keep in mind, crypto support is limited in react native. We might need to recommend react-native crypto shim implementation which actually supports all the features TypeORM requires.

[alumni]

We might need to create some additional tasks (for hashing + buffer), since it seems more complex than I initially thought.

UUID

I managed to replace uuid.v4() with globalThis.crypto.randomUUID() - this is part of the Web Crypto API and should be supported by any JS engine (hopefully also by Hermes). So no polyfills should be needed here. Do we have a way to check what ES features does Hermes supports? Later edit: it seems not: facebook/hermes#1003

Hashing

Unfortunately we might not be able to easily replace the sha.js and RandomGenerator.sha1 - WebCrypto's digest function is async, so a lot of methods would become async. We could replace sha.js with RandomGenerator.sha1 (which is not 100% equivalent, the problem is in line 44) just to get rid of the extra dependency, or we could use node:crypto, but then a polyfill would be needed (not what I wanted when I proposed that).

Buffer

For buffer, I'm thinking there are two options:

1. replace Buffer with Uint8Array everywhere. Most DB clients still return Buffer, so we need to make sure a lot of things still work.
2. keep Buffer in types, provide buffer functions in PlatformTools. The types should not really be a problem in non-node environments, TS would not know what Buffer is, but it will not highlight it as an error. We don't have many functions to provide in PlatformTools, we currently only use Buffer.isBuffer(value) and type === Buffer.

[pleerock]

Regarding to subtle - it's not supported in react native, and exist crypto shims are very limited in subtle functions support. Keep that in mind, otherwise we'll have to provide (and maintain) our own shim for a specific subtle functions in react native. Sometimes its much easier to put a function like CryptoUtils.sha() in the codebase and call it in case of missing global support. There is no heavy crypto/hashing in TypeORM from what I know - we won't have lot of code for those functions. But still use them as a fallback, since native implementations are always faster.

Regarding to Buffer - replacing to Uint8Array is the best way to go, if it's possible.

[alumni]

Sometimes its much easier to put a function like CryptoUtils.sha() in the codebase and call it in case of missing global support

Actually this is what I was also suggesting on Discord. We could use crypto.randomUUID if available, otherwise the uuidv4 implementation is quite short and we could add it to our repo. And for sha1 could get it from node:crypto on NodeJS or use the RandomGenerator.sha1 function that's already in the repo (we just need to fix it).

Regarding to Buffer - replacing to Uint8Array is the best way to go, if it's possible.

I might take a look sometime if nobody will, but I'd like to check out a few things from the roadmap that I promised I will do :)

[MatthiasKunnen]

Dropping sha.js would be amazing, it alone is responsible for nearly half of TypeORM's dependencies (33/81). See https://npmgraph.js.org/?q=typeorm#select=exact%3Asha.js%402.4.12. And as @pleerock already mentioned, native will always be faster.

I currently replace sha.js with Yarn resolutions to avoid this dependency mess. Patch file:

const crypto = require('node:crypto')
module.exports = crypto.createHash.bind(crypto) // bind is not actually necessary

[alumni]

it alone is responsible for nearly half of TypeORM's dependencies (33/81)

@MatthiasKunnen this is why we planned it :) FYI we already replaced glob with tinyglobby like most other packages have been doing for a while (and likely when node 20 support is dropped, we'll switch to the built-in node:fs).

With so many supply chain attacks, it's also best to have as few dependencies as possible.

I'm thinking we could offer this task for Hacktoberfest (if it's possible, not sure how it works) now that the implementation details are clear :) maybe the same for buffer.

[mag123c]

I'd like to work on it.

Before I start, I have a few questions

• Should I include buffer removal in the same PR or separate it?
• Any concerns about React Native compatibility with crypto.randomUUID()?
• Need polyfill documentation for older environments?