Preventing Short Hash Collision Attacks in Package Dependencies
This GitHub Action implements automatic security checks to prevent git short hash collision attacks in dependencies across multiple platforms and protocols.
{
"dependencies": {
"vue-lib": "github:user/vue-lib#a1b2c3d",
"react-utils": "git+https://github.com/user/react.git#ef4567a"
}
}
🚨 SECURITY RISK: Short hashes enable collision attacks!
🔍 The difference:
7 chars = vulnerable
vs
40 chars = secure
Problem: Short git commit hashes (7-39 characters) in dependencies are vulnerable to collision attacks where:
- 🎯 Attackers can create commits with the same short hash prefix
- 💥 This causes "ambiguous short SHA" errors on git platforms
- 🔗 Breaking builds and potentially enabling supply chain attacks
- 📦 Compromising package integrity and reproducible builds
Solution: We enforce the use of full 40-character commit hashes for all git dependencies.
This action validates dependencies across all major git platforms and protocols:
| Platform | Supported Formats | Status |
|---|---|---|
| 🐙 GitHub | github:, git+https://github.com |
✅ Supported |
| 🦊 GitLab | gitlab:, git+https://gitlab.com |
✅ Supported |
| 🪣 Bitbucket | bitbucket:, git+https://bitbucket.org |
✅ Supported |
| 🔒 SSH Protocol | git+ssh:// |
✅ Supported |
| 📦 Shrinkwrap | npm-shrinkwrap.json validation |
✅ Supported |
{
"name": "my-app",
"dependencies": {
"vue-lib": "github:user/vue-lib#a1b2c3d",
"react-utils": "git+https://github.com/user/react-utils.git#ef4567a",
"node-helpers": "gitlab:team/helpers#9abc123"
}
}🚨 SECURITY VULNERABILITY: Short hashes are collision-vulnerable!
{
"name": "my-app",
"dependencies": {
"vue-lib": "github:user/vue-lib#a1b2c3d4e5f6789012345678901234567890abcd",
"react-utils": "git+https://github.com/user/react-utils.git#ef4567a8901234567890123456789012345678ef",
"node-helpers": "gitlab:team/helpers#9abc123456789012345678901234567890123456"
}
}🎉 ALL DEPENDENCIES SECURE: Full 40-character hashes provide maximum security!
- ✅
package.json- All git dependency declarations - ✅
npm-shrinkwrap.json- Resolved dependency hashes (if present)
github:org/repo#hashgitlab:org/repo#hashbitbucket:org/repo#hashgit+https://github.com/org/repo.git#hashgit+https://gitlab.com/org/repo.git#hashgit+ssh://git@github.com/org/repo.git#hash
- ❌ Flags: 7-39 character hashes (collision vulnerable)
- ✅ Passes: 40-character hashes (cryptographically secure)
- ℹ️ Ignores: Non-hex references (tags, branches)
- ℹ️ Ignores: Very short hex strings (<7 chars, likely tags)
Add this action to your GitHub workflow:
name: Security Check
on: [push, pull_request]
jobs:
git-hash-security:
runs-on: ubuntu-latest
steps:
- name: Git Hash Security Check
uses: Automattic/vip-actions/git-hash-security-check@v0.7.1| Benefit | Description |
|---|---|
| 🛡️ Collision Resistance | Full 40-character hashes prevent collision attacks |
| 🔒 Supply Chain Integrity | Ensures dependencies point to exact commits |
| 📦 Reproducible Builds | Guarantees consistent dependency resolution |
| 🎯 Zero False Positives | Smart detection distinguishes tags from hashes |
| 🌐 Multi-Platform | Works across GitHub, GitLab, Bitbucket |
| ⚡ Fast Validation | Efficient regex-based scanning |
When the action detects short hashes:
- Update package.json to use full 40-character commit hashes
- Delete npm-shrinkwrap.json (if present)
- Run
npm installto regenerate with full hashes - Commit the changes and re-run the security check
# Get the full hash for a short reference
git ls-remote https://github.com/user/repo.git short-ref
# Or visit the GitHub commit page
https://github.com/user/repo/commit/short-ref