update or replace base64-js and js-sha256

[Codem0nky]

Description

update or replace base64-js and js-sha256:

Warning: /.../oss/keycloak-angular/example/node_modules/keycloak-js/dist/keycloak.mjs depends on 'base64-js'. CommonJS or AMD dependencies can cause optimization bailouts.
For more info see: https://angular.io/guide/build#configuring-commonjs-dependencies

Warning: /.../oss/keycloak-angular/example/node_modules/keycloak-js/dist/keycloak.mjs depends on 'js-sha256'. CommonJS or AMD dependencies can cause optimization bailouts.
For more info see: https://angular.io/guide/build#configuring-commonjs-dependencies

Discussion

No response

Motivation

cause optimization bailouts

Details

N/A

[janostik]

We're now facing the same issue. Is there any update on this?

[Freakaz0id]

Using vite, I also get this warning, because js-sha256 seems to be deprecated:

Use of eval in "node_modules/js-sha256/src/sha256.js" is strongly discouraged as it poses security risks and may cause issues with minification.

[vasnakos]

Same issue with Angular 15. I suppressed the warnings by adding

  "allowedCommonJsDependencies": [
    "base64-js",
    "js-sha256",
  ],

in the angular.json.

[WANZARGEN]

The same issue here...🥲 (vite)

[frolovsky]

Hi! If you got an error in console, like "caught SyntaxError: The requested module '/node_modules/base64-js/index.js?v=46b70b48' does not provide an export named 'default' (at keycloak.mjs?v=46b70b48:1:8)";
You can try 2 options:
a) add into optimizeDeps.include "keycloak-js"
b) install commonjs plugin https://www.npmjs.com/package/@originjs/vite-plugin-commonjs

[bbodine1]

Same issue with Angular 15. I suppressed the warnings by adding

  "allowedCommonJsDependencies": [
    "base64-js",
    "js-sha256",
  ],

in the angular.json.

More specifically, in the targets -> build -> options object

angular.json
example:

{
  "name": "app-name",
  ....
  "targets": {
    "build": {
      "executor": "@angular-devkit/build-angular:browser",
      "outputs": ["{options.outputPath}"],
      "options": {
        ....
        "allowedCommonJsDependencies": ["flat", "base64-js", "js-sha256"],
        ....
      }
    }
  }
}

[combacsa]

Could this be related with emn178/js-sha256#18 ? (The one mentioned in #15769 (comment) )

[jonkoops]

Thanks for reminding me @combacsa. It does indeed look like this issue is now resolved as the new version of js-sha256 now ships without using eval(). I'll go ahead and close this issue.

[prewk]

This issue is not solved, the (basically unmaintained) package js-sha256 has only removed eval() which removes a RollupJS warning which this issue isn't about.

[jonkoops]

@prewk You are right, I had this confused for a different issue. Reopening.

[jonkoops]

If anyone knows a good alternative to js-sha256 and base64-js that is fully ESM compatible, popular and actively maintained let me know.

I am willing to entertain the idea of making a breaking change to Keycloak JS by using the Web Crypto API if it allows us to shed some dependencies. This would be a breaking change as some of our methods, as that API is async, and a lot of our public API is not.

[codespearhead]

Current Library	Maintained Alternative
base64-js	js-base64
js-sha256	noble-hashes

@robrez Will the above replacements solve the problem of the ESM-compatible builds reported in #30261 ?

[jonkoops]

We no longer need to replace base64-js, as this has been removed under #26265. I think @noble/hashes is a good replacement, it looks to be more actively maintained and audited, as well as being more popular overall. If someone wants to create a PR to use it as a replacement I'd gladly accept it.

[jonkoops]

Wanted to give a quick status update here, thanks to @schreibse we managed to replace js-sha256 with @noble/hashes (see #30667).

However, I am experimenting with the Web Crypto API and I think we can drop the dependency altogether (see #33251). Feel free to try it out and let me know what you think!

If this works out well I think we'll see if we can make Keycloak JS entirely dependency free.