Skip to content

Core: Fix FIPS compliance #31806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: next
Choose a base branch
from
Open

Core: Fix FIPS compliance #31806

wants to merge 2 commits into from
+1 −1

Conversation

JReinhold
Copy link
Contributor

@JReinhold JReinhold commented Jun 17, 2025
edited by greptile-apps bot
Loading

What I did

Changed the default hashing algorithm for the file system cache from MD5 to SHA256, as FIPS environments don't allow the usage of insecure hasing algorithms like MD5.

Using Storybook in a FIPS environment would result in an error like:

  throw error;
  ^

Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
    at new Hash (node:internal/crypto/hash:79:19)
    at createHash (node:crypto:142:10)
    at new FileSystemCache (/node_modules/@storybook/core/dist/common/index.cjs:16584:111)
    at createFileSystemCache (/node_modules/@storybook/core/dist/common/index.cjs:16668:10)
    at Object.<anonymous> (/node_modules/@storybook/core/dist/common/index.cjs:16924:10)
    at Module._compile (node:internal/modules/cjs/loader:1529:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1613:10)
    at Module.load (node:internal/modules/cjs/loader:1275:32)
    at Module._load (node:internal/modules/cjs/loader:1096:12)
    at Module.require (node:internal/modules/cjs/loader:1298:19) {
  library: 'digital envelope routines',
  function: 'EVP_DigestInit_ex',
  reason: 'disabled for FIPS',
  code: 'ERR_OSSL_EVP_DISABLED_FOR_FIPS'
}

Node.js v20.19.1
error Command failed with exit code 7.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

0.0.0-pr-31806-sha-dd7d87dd

Greptile Summary

Updates FileSystemCache to use SHA256 instead of MD5 for FIPS-compliant environments, addressing compatibility issues with secure computing standards.

  • Modified code/core/src/common/utils/file-cache.ts to replace MD5 with SHA256 hashing algorithm
  • Resolves runtime errors in FIPS environments where MD5 is disabled as an insecure algorithm
  • Existing caches using MD5 will need to be regenerated with the new SHA256 algorithm
  • Change improves security while maintaining cache functionality
  • No breaking changes to the cache API, only internal hashing implementation changed

@JReinhold JReinhold self-assigned this Jun 17, 2025
@JReinhold JReinhold added maintenance User-facing maintenance tasks patch:yes Bugfix & documentation PR that need to be picked to main branch core ci:normal labels Jun 17, 2025
@storybook-bot
Copy link
Contributor

Failed to publish canary version of this pull request, triggered by @JReinhold. See the failed workflow run at: https://github.com/storybookjs/storybook/actions/runs/15716517128

@JReinhold JReinhold added maintenance User-facing maintenance tasks patch:yes Bugfix & documentation PR that need to be picked to main branch core ci:normal labels Jun 17, 2025
@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Jun 17, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 1039ca5.

Command Status Duration Result
nx run-many -t build --parallel=3 ✅ Succeeded 1m 13s View ↗

☁️ Nx Cloud last updated this comment at 2025-06-18 12:14:02 UTC

@JReinhold JReinhold marked this pull request as ready for review June 18, 2025 12:07
greptile-apps[bot]
greptile-apps bot reviewed Jun 18, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

1 file reviewed, no comments
Edit PR Review Bot Settings | Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@ndelangen ndelangen ndelangen approved these changes

Assignees

@JReinhold JReinhold

Labels
ci:normal core maintenance User-facing maintenance tasks patch:yes Bugfix & documentation PR that need to be picked to main branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JReinhold @storybook-bot @ndelangen