Typescript claims that there is no default export when using import sha256 form 'js-sha256';.
The index.d.ts claims that only two named exports exists (sha256 and sha224) but this does not seem to be the case anymore as import * as sha from 'js-sha256'; shows named as well as a default export.
Trying to import { sha256, sha224 } from 'js-sha256'; fails as well, as the real export of this module is not an object containing these functions, but an objects that contains the default in on property and named exports inside another.
A workaround is to import * as sha from 'js-sha256'; and then use (sha as any).default(message), but this is considered bad practice as it's loosing the type information and requires low level interaction with the es-module system.

Is there any example or demo for File Hash SHA256 from Browser, just show in demo.

Hello,

I have been testing sha256.hmac compared to other sources and noticed a discrepancy.
This library outputs a simple test like:
sha256.hmac('a','b'); // = 08de329931e295683776aa9a43529bd0b275286df3160300c49ba4e841833013
while online sources like here and here and the library CryptoJS output the same input as:
cb448b440c42ac8ad084fc8a8795c98f5b7802359c305eabd57ecdb20e248896

检测到 emn178/js-sha256 一共引入了22个开源组件，存在3个漏洞

漏洞标题：Growl命令执行漏洞
缺陷组件：[email protected]
漏洞编号：CVE-2017-16042
漏洞描述：Growl是一套支持Node.js的通知系统。
Growl 1.10.2之前版本中存在安全漏洞，该漏洞源于在将输入传递到shell命令之前，程序未能正确的对其进行过滤。攻击者可利用该漏洞执行任意命令。
国家漏洞库信息：https://www.cnvd.org.cn/flaw/show/CNVD-2018-24664
影响范围：(∞, 1.10.0)
最小修复版本：1.10.0
缺陷组件引入路径：[email protected]>[email protected]>[email protected]

另外还有3个漏洞，详细报告：https://mofeisec.com/jr?p=i17ed6

I think It's more of a question than an issue because I am probably not using the library correctly. After I run update on the hmac second time, shouldn't the hash change? Why doesn't it and how would I properly use the update function? See example below.

var hash = sha256.hmac.create('mykey');
hash.update(mykey,'Message one to hash');
hash.hex() is ABC
hash.update(mykey,'Message two to hash');
hash.hex() is still ABC

Please consider vending ESM

Because of the following code:

var crypto = eval("require('crypto')");
var Buffer = eval("require('buffer').Buffer");

library does not work, when the Content-Security-Policy does not include unsafe-eval.

Hello @emn178,
I am the member of cdnjs project.
We want to host this library.
I have downloaded the version 0.3.0 in npm, but I found that the files are not the same as the files which downloaded from github,
Could you help me update the files in npm? thank you very much!

cdnjs/cdnjs#5766

Since the Web Crypto API is now widely supported both on the Web and Node.js this library serves little to no purpose in modern JavaScript development. This library is also very clearly no longer actively maintained.

Given these arguments I would like to propose this library be deprecated as follows:

• Add a section to the README instructing users to use the Web Crypto API instead.
• Deprecate all versions of the NPM package using npm deprecate.
• Archive the repository on Github.

Here is a lib that use native implementation from browser and node.js for sha512 :
https://github.com/paulmillr/noble-ed25519/blob/master/index.ts#L849

Browser : https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
Node : https://nodejs.org/api/crypto.html#crypto_crypto_createhash_algorithm_options

But with es module native compatibility issue. (you also have but i've handled them here : https://github.com/1000i100/js-sha256 but dropping, for now some coverage. That's why i haven't send pull-request )

(!) Use of eval is strongly discouraged
https://github.com/rollup/rollup/wiki/Troubleshooting#avoiding-eval
node_modules/js-sha256/src/sha256.js
84:
85: var nodeWrap = function (method, is224) {
86: var crypto = eval("require('crypto')");
^
87: var Buffer = eval("require('buffer').Buffer");
88: var algorithm = is224 ? 'sha224' : 'sha256';
...and 1 other occurrence
created dist/transactionmgmt.dev.js in 4.7s

[2018-06-21 10:33:00] waiting for changes...

It seems that js-sha256 produces incorrect hash for some inputs in the browser environment (issue does not reproduce in NodeJS environment).

I am currently using Chrome 120.0.6099.71.

Here is one input that produces incorrect hash:

Tehtäväsi on muotoilla teksti, jossa käyttäjälle suositellaan hänen henkilökohtaisiin tietoihinsa perustuen avioehdon tekemistä. Suosittelemme nimenomaan tätä tuotetta käyttäjän henkilökohtaisista tiedoista johtuen. Tuottamasi tekstin tulee olla lyhyt, persoonallinen, ymmärrettävä ja todenmukainen. Suositus perustuu seuraaviin seikkoihin:

Seikka 0: Avioehdon tekeminen on verohyötyjen vuoksi suositeltavaa, koska olet ilmaissut että haluat kuoleman tapauksessa turvata ensisijaisesti aviopuolisosi asemaa (ennemmin kuin lasten asemaa). Avioehdolla voit määrätä, että puolet kuolleen puolison omaisuudesta siirtyy verovapaasti leskelle.

Voit halutessasi hyödyntää seuraavia tietoja tekstin muotoilussa persoonallisemmaksi: Käyttäjällä on kumppani nimeltä PARTNER_NAME. Käyttäjällä on suurperhe. Käyttäjällä on lapsiperhe.

Puhuttele käyttäjää siihen sävyyn että tiedät jo mitä käyttäjä haluaa, koska hän on kertonut toiveistaan, ja niiden perusteella tehty suositus on ilmiselvä. Joten älä käytä epävarmoja ilmaisuja kuten "halutessasi", vaan kirjoita itsevarmoilla ilmaisuilla kuten "koska haluat". Älä tee oletuksia käyttäjän sukupuolesta, emme tiedä onko hän mies vai nainen. Älä käytä sanaa jälkikasvu, puhu ennemmin lapsesta tai lapsista riippuen onko lapsia yksi vai useampia. Älä puhuttele käyttäjää ensimmäisessä persoonassa, käytä ennemmin passiivimuotoa. Tekstin sävyn tulisi olla neutraalin asiallinen, ei melodramaattinen eikä leikkisä. Pysy totuudessa, älä keksi uusia seikkoja yllä listattujen lisäksi. Viittaa ihmisiin nimillä silloin kun se on mahdollista. Tekstin tulisi olla vain muutaman lauseen mittainen. Älä siis kirjoita pitkiä selityksiä äläkä kirjoita listoja. Tiivistä oleellinen tieto lyhyeksi ja persoonalliseksi tekstiksi.

The fastest way to reproduce is by copypasting the input to these SHA256 calculators and seeing that the calculated hashes are different:

• Incorrect hash bddecd6f63985c77ff7266d78e3bc0d5df0fc859346e69c7de535b90e3fe4e82 from https://emn178.github.io/online-tools/sha256.html
• Correct hash 2C731AD02E3D0E3C863BDBCE4CCE221E0BE1D31EFFFDD8E1455A835E8287DC33 from https://passwordsgenerator.net/sha256-hash-generator/

The hash is calculated correctly until the character in position 1751 (the last "s" character in the last word of the string). For some reason the hash is calculated incorrectly at position 1751 (and, naturally, every position after that).

I tried to construct a shorter input example, but it seems that any change to the input before position 1751 causes the issue to disappear: add character, remove character, change character... any change and issue disappears.

sha256.hex('b03cadd31554cdbe6e67fc0ad2f0ffeb8aae91de4f0657c3ba6fc11b94b85e46') === '182ee7d99a515fdd59d25d5d8a2a263b52097fd212e169f2df208a6c4b7e1c73'

why it gives 182ee7d99a515fdd59d25d5d8a2a263b52097fd212e169f2df208a6c4b7e1c73 instead of 2656b1039a88fbd83409795d31480d3090ec797488df19cbef2b70c69df87c29? am I using the library in the wrong way?

thank you

Hi,

since version 0.3.1 my builds no longer work.

var sha256 = require("js-sha256");
var sha = sha256("my string");
TypeError: '[object Object]' is not a function (evaluating 'sha256("my string")')

Breaking changes should be done in a major version, not a patch.

Hi,

Thanks for the help on SHA 3. Could you also allow the use of ArrayBuffer?

Thanks

Ken

Hello @emn178 ,

I found conflict when sha256 is included together with requirejs.
Reproducible here: https://irwansetiawan.github.io/gs_plus/sha256_requirejs_conflict.html

Hi you try to determine if you are in a node environment by checking the process variable.
React native also has a standard process variable which looks like this (at least in my setup):

{ env: { NODE_ENV: 'development' } }	

You check in line 14

var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process == 'object' && process.versions && process.versions.node;

the problem is that both process.versions && process.versions.node are undefined so that evaluates somehow to true.
Maybe you can do a check

if (prossess.versions === undefined)
      NODE_JS = false;

or something.

Best regards Max

React Native gives the following error: "Unable to resolve module 'crypto' from '/js-sha26/src/sha256.js': Module does not exist i the module map".

What should I do if I want to use salt?

I don't think this is a bug in this code but opening this issue to maybe help out someone else trying to debug this in the future:

When this library is used with Google Chrome 115.0.5790.102 (released on July 20 2023), it will produce correct hashes for a while and then after a certain number of hashes are computed, all future hash outputs will be incorrect.

This was seen on x86 and ARM machines running Linux and macOS.

Presumably this is a JIT bug in this particular version of Chrome. It is apparently fixed in 115.0.5790.110 which was released to stable channel 5 days later.

The following test case indicates that it is supposed to be using a Uint8Array for the secret, but is in fact using a ArrayBuffer:

The sha256_hmac test properly uses a Uint8Array.

Currently the code modifies the Array prototype by adding the __ARRAY__ property to it. Could this be avoided?

In one of my project it actually caused a hard to track down bug. 😄

Object.isArray() or a polyfill given here or something like lodash's _.isArray() can be used instead to detect whether an object is an array