Merged
Conversation
owlstronaut
approved these changes
Dec 15, 2025
Member
Author
|
@H4ad just wanted to give you a heads up that these benchmark files are being added. I linked to the PRs where you first introduced these at the top of each of them but if you want to add them yourself for the full |
Merged
Contributor
|
Thanks for reaching out, I cherry pick and joined both changes in one commit, #161 |
Mostly in-lining comments. There were a few cases where impossible cases were being guarded against. Those were removed.
wraithgar
force-pushed
the
gar/cleanup
branch
from
7209e44 to
d1c2d88
Compare
owlstronaut
approved these changes
Dec 16, 2025
Merged
wraithgar
pushed a commit
that referenced
this pull request
Feb 9, 2026
🤖 I have created a release *beep* *boop* --- ## [13.0.1](v13.0.0...v13.0.1) (2025-12-16) ### Bug Fixes * [`eb83316`](eb83316) [#160](#160) hash: filter on known hashes (@wraithgar) * [`5b98568`](5b98568) [#160](#160) code cleanup (@wraithgar) ### Chores * [`940288e`](940288e) [#163](#163) remove tap (@owlstronaut) * [`26e09b8`](26e09b8) [#163](#163) move to node:test (@owlstronaut) * [`5ca3f4a`](5ca3f4a) [#161](#161) add benchmarks (#161) (@H4ad) * [`cf69694`](cf69694) [#156](#156) bump @npmcli/eslint-config from 5.1.0 to 6.0.0 (#156) (@dependabot[bot]) * [`05ce2c5`](05ce2c5) [#158](#158) bump @npmcli/template-oss from 4.28.0 to 4.28.1 (#158) (@dependabot[bot], @npm-cli-bot) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
wraithgar
added a commit
to npm/pacote
that referenced
this pull request
Feb 10, 2026
npm/ssri#160 filtered out invalid hashes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is two changes in one PR.
It cleans up comments and removes some unreachable code. These were safeguards with no way to test. If somehow there comes a way to test them we can add them again but for now they're impossible.
Also, it adds a filter to hashes for real algorithms. Strict mode still limits based on the spec, but this limits on reality. These hashes are impossible to validate and thus shouldn't be made. We can discuss if this is actually a breaking change but in my view "prevent impossible hashes from being created" is not a breaking change.