Ccodemod

codemod/upgrade-crypto-deprecated-functions

Replaces deprecated Node.js crypto functions like crypto.createHash('md5') with secure alternatives

transformationmigrationsecuritycryptomd5sha1sha256
Public
4 executions
Apply to Repository

Run locally

npx codemod @codemod/upgrade-crypto-deprecated-functions

Upgrade Crypto Deprecated Functions

A security-focused codemod that automatically replaces deprecated Node.js crypto functions (MD5, SHA-1) with secure alternatives (SHA-256).

Why This Matters

Deprecated cryptographic hash functions like MD5 and SHA-1 have known vulnerabilities:

  • MD5: Vulnerable to collision attacks since 2004
  • SHA-1: Broken by the SHAttered attack in 2017
  • SHA: Original SHA algorithm, deprecated since 1995

These weak algorithms should be replaced with stronger alternatives like SHA-256 or SHA-512.

Security Impact

This codemod addresses the following security vulnerabilities:

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-328: Reversible One-Way Hash

Transformations

crypto.createHash()

Before:

javascript

After:

javascript

crypto.createHmac()

Before:

javascript

After:

javascript

CommonJS Support

Before:

javascript

After:

javascript

Named Imports

Before:

javascript

After:

javascript

What Gets Transformed

  • crypto.createHash('md5')crypto.createHash('sha256')
  • crypto.createHash('sha1')crypto.createHash('sha256')
  • crypto.createHash('sha')crypto.createHash('sha256')
  • crypto.createHmac('md5', key)crypto.createHmac('sha256', key)
  • crypto.createHmac('sha1', key)crypto.createHmac('sha256', key)
  • require('crypto').createHash('md5')require('crypto').createHash('sha256')
  • ✅ Named imports: createHash('md5')createHash('sha256')

What Doesn't Get Transformed

  • ❌ Files with @legacy-crypto comments (intentional legacy usage)
  • ❌ Already secure algorithms (sha256, sha512, etc.)
  • ❌ Variable-based algorithms (createHash(algorithm))
  • ❌ Non-crypto module function calls

Installation & Usage

bash

Skipping Legacy Code

To skip transformation for intentional legacy usage, add a @legacy-crypto comment anywhere in the file:

javascript

Important Notes

⚠️ Breaking Change: This transformation will change hash outputs. Ensure you update:

  • Stored hashes in databases
  • Hash-dependent functionality (checksums, cache keys)
  • Tests that verify specific hash values

💡 Recommendation: For applications requiring higher security, consider manually upgrading to SHA-512 instead of SHA-256.

Development

bash

Security References

License

MIT

Ready to contribute?

Build your own codemod and share it with the community.

Publish a codemodJoin the community