Skip to content

fix(connection-form): remove dependency on Node.js crypto module #7632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
addaleax merged 1 commit into from
Dec 9, 2025
Merged

fix(connection-form): remove dependency on Node.js crypto module #7632

addaleax merged 1 commit into from
Dec 9, 2025

Conversation

@addaleax
Copy link
Collaborator

@addaleax addaleax commented Dec 8, 2025

We can safely use the webcrypto API exposed through the crypto global in both Node.js and Electron now.

This enables removing a polyfill with a known vulnerability in the VSCode extension.

Description

Checklist

  • New tests and/or benchmarks are included
  • Documentation is changed or added
  • If this change updates the UI, screenshots/videos are added and a design review is requested
  • If this change could impact the load on the MongoDB cluster, please describe the expected and worst case impact
  • I have signed the MongoDB Contributor License Agreement (https://www.mongodb.com/legal/contributor-agreement)

Motivation and Context

  • Bugfix
  • New feature
  • Dependency update
  • Misc

Open Questions

Dependents

Types of changes

  • Backport Needed
  • Patch (non-breaking change which fixes an issue)
  • Minor (non-breaking change which adds functionality)
  • Major (fix or feature that would cause existing functionality to change)

@addaleax
fix(connection-form): remove dependency on Node.js crypto module
b96c9a0 
We can safely use the webcrypto API exposed through the `crypto`
global in both Node.js and Electron now.

This enables removing a polyfill with a known vulnerability in
the VSCode extension.
@addaleax addaleax requested a review from a team as a code owner December 8, 2025 12:41
@github-actions github-actions bot added the fix label Dec 8, 2025
Copilot AI reviewed Dec 8, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the dependency on Node.js's crypto module by replacing it with the globally available crypto (Web Crypto API), which works in both Node.js and Electron environments. This change eliminates a polyfill with a known security vulnerability in the VSCode extension.

Key changes:

  • Replaced Node.js crypto.randomBytes() with Web Crypto API's crypto.getRandomValues()
  • Removed the import statement for Node.js crypto module

@addaleax addaleax added no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion) no release notes Fix or feature not for release notes labels Dec 8, 2025
@addaleax addaleax merged commit da7393a into main Dec 9, 2025
242 of 256 checks passed
@addaleax addaleax deleted the no-crypto-module-in-connection-form branch December 9, 2025 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gribnoysup gribnoysup gribnoysup approved these changes

@gagik gagik gagik approved these changes

@paula-stacho paula-stacho Awaiting requested review from paula-stacho paula-stacho is a code owner automatically assigned from mongodb-js/compass-developers

Assignees

No one assigned

Labels

fix no release notes Fix or feature not for release notes no-title-validation Skips validation of PR titles (conventional commit adherence + JIRA ticket inclusion)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@addaleax @gribnoysup @gagik