Skip to content

fix: upgrade generateBoundary from MD5 to SHA-256#524

Merged
mwbrooks merged 1 commit intomainfrom
mwbrooks-snyk-sha256-hook-boundary
May 6, 2026
Merged

fix: upgrade generateBoundary from MD5 to SHA-256#524
mwbrooks merged 1 commit intomainfrom
mwbrooks-snyk-sha256-hook-boundary

Conversation

@mwbrooks
Copy link
Copy Markdown
Member

@mwbrooks mwbrooks commented May 6, 2026
edited
Loading

Changelog

  • N/A

Summary

This pull request replaces MD5 with SHA-256 in the hook executor's boundary string generator to resolve a Snyk weak-hash finding.

Also fixes a subtle bug where the original code called MD5Hash.Sum(randomBytes) which appends the hash of empty input to randomBytes, rather than actually hashing the random bytes. The fix properly uses hash.Write(randomBytes) followed by hash.Sum(nil).

Testing

Bolt JS:

$ lack create my-app
# → Starter App → Bolt for JavaScript

$ lack run
# → Test the app and confirm the logs appear
# CTRL+C

$ lack manifest info
# → Confirm manifest appears

$ lack delete -f
$ cd ../
$ rm -rf my-app/

# Repeat for:
# → Bolt for Python
# → Deno SDK

Notes

  • Boundary output changes from 32 hex chars (MD5) to 64 hex chars (SHA-256); the SDK uses substring matching so any length works

Requirements

@codecov
Copy link
Copy Markdown

codecov Bot commented May 6, 2026

Codecov Report

❌ Patch coverage is 83.33333% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 71.26%. Comparing base (68134ad) to head (84adf0b).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/hooks/hook_executor_v2.go 83.33% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #524      +/-   ##
==========================================
- Coverage   71.27%   71.26%   -0.02%     
==========================================
  Files         222      222              
  Lines       18682    18682              
==========================================
- Hits        13315    13313       -2     
- Misses       4185     4188       +3     
+ Partials     1182     1181       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mwbrooks mwbrooks self-assigned this May 6, 2026
@mwbrooks mwbrooks added security Use on pull requests related to security semver:patch Use on pull requests to describe the release version increment labels May 6, 2026
@mwbrooks mwbrooks added this to the Next Release milestone May 6, 2026
@mwbrooks mwbrooks marked this pull request as ready for review May 6, 2026 22:58
@mwbrooks mwbrooks requested a review from a team as a code owner May 6, 2026 22:58
zimeg
zimeg approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@zimeg zimeg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mwbrooks Super fun improvement to land! Thanks for keeping our hook boundaries separated 🔏

@mwbrooks
Copy link
Copy Markdown
Member Author

mwbrooks commented May 6, 2026

Thanks for the quick reviews @zimeg! 🚀

@mwbrooks mwbrooks merged commit 1570564 into main May 6, 2026
8 checks passed
@mwbrooks mwbrooks deleted the mwbrooks-snyk-sha256-hook-boundary branch May 6, 2026 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zimeg zimeg zimeg approved these changes

Assignees

@mwbrooks mwbrooks

Labels

security Use on pull requests related to security semver:patch Use on pull requests to describe the release version increment

Projects

None yet

Milestone

Next Release

Development

Successfully merging this pull request may close these issues.

2 participants

@mwbrooks @zimeg