Skip to content

fix(core): add custom key encoder and deprecate insecureHash #8379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jun 19, 2025
Merged

fix(core): add custom key encoder and deprecate insecureHash #8379

merged 13 commits into from
Jun 19, 2025

Conversation

manekinekko
Copy link
Contributor

This PR deprecates the insecureHash and introduces a support for Custom Key Encoders for Caching and Indexing.

Note: The insecureHash function is currently based on SHA-1 algorithm, which may lead to security issues as discussed with @sinedied and @jacoblee93

@vercel Vercel
Copy link

vercel bot commented Jun 17, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
langchainjs-docs ✅ Ready (Inspect) Visit Preview Jun 18, 2025 9:44pm
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
langchainjs-api-refs ⬜️ Ignored (Inspect) Jun 18, 2025 9:44pm

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. auto:improvement Medium size change to existing code to handle new use-cases labels Jun 17, 2025
jacoblee93
jacoblee93 reviewed Jun 17, 2025
View reviewed changes
langchain-core/src/utils/js-sha1/hash.ts Outdated
* This function will be removed in a future version.
*/
export const insecureHash = (message) => {
console.warn(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's just log this once on initial call to avoid flooding the console and add some example code

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add some example code

Can you elaborate on which example code you'd like to be added?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jacoblee93 can we maybe link to some docs?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah right... this is used in multiple places

@hntrl maybe let's make a small docs page with agnostic info here?

@manekinekko manekinekko requested a review from jacoblee93 June 17, 2025 18:10
jacoblee93
jacoblee93 reviewed Jun 17, 2025
View reviewed changes
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Jun 17, 2025
@manekinekko manekinekko requested a review from jacoblee93 June 17, 2025 21:09
@dosubot dosubot bot added the lgtm PRs that are ready to be merged as-is label Jun 18, 2025
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jun 18, 2025
hntrl
hntrl reviewed Jun 18, 2025
View reviewed changes
Copy link
Member

@hntrl hntrl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hope you don't mind, I picked up on some of the details for this PR to see if we cant get it out a bit quicker. Couple of things to note:

  • I think it's important that we provide what we're declaring as the 'future default' and provide an export for it. Just seems like extra thrash if we're telling people to bring their own hash algo then swapping out the default again entirely.

    • On that thread I did some perf testing of a bunch of the different hashing algos implemented in JS to see which one was the most performant (https://github.com/hntrl/js-hash-perf/blob/main/results/analysis.ipynb). I landed on sha256 over sha3, so I'm happy to bundle that into core, but I'm curious to know if that's suitable for your needs/ if there are any other considerations there/ what the security world's opinion is on sha256 (i.e. will another org get on our case for having sha256?)

  • Like Jacob mentioned I added a link to a more detailed warning page with examples in the warning instead of just inlining those details. Would love your opinion on if i'm on message, or if you guys would rework the example code at all.

@manekinekko
Copy link
Contributor Author

Thank you @hntrl and @jacoblee93 for providing improvements to this PR. I think sha256 is agreat start. It's defintely way stronger hash fn than sha1.

The PR LGTM.

@hntrl hntrl merged commit a6810a5 into langchain-ai:main Jun 19, 2025
36 of 37 checks passed
@manekinekko
Copy link
Contributor Author

Thank you @jacoblee93 and @hntrl for taking the time to help reviewing this work. We (Microsoft) appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hntrl hntrl hntrl approved these changes

@jacoblee93 jacoblee93 Awaiting requested review from jacoblee93

Assignees

No one assigned

Labels

auto:improvement Medium size change to existing code to handle new use-cases lgtm PRs that are ready to be merged as-is size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@manekinekko @jacoblee93 @hntrl