Drop JSSHA in favor of Web Crypto API (#506)

wKovacs64 · web-flow · commit 56fdf3829846 · 2025-03-22T15:26:18.000-06:00
diff --git a/.bundlewatch.config.json b/.bundlewatch.config.json
@@ -3,15 +3,15 @@
     {
       "//": "Pre-bundled for Browser (UMD)",
       "path": "dist/browser/hibp.umd.js",
-      "maxSize": "9.3 kB"
+      "maxSize": "6.3 kB"
     },
     {
       "//": "Pre-bundled for Browser (ESM)",
       "path": "dist/browser/hibp.module.js",
-      "maxSize": "4.9 kB"
+      "maxSize": "1.9 kB"
     },
     {
-      "//": "Bundled with Webpack (CJS)",
+      "//": "Bundled (CJS)",
       "path": "dist/cjs/breach.cjs",
       "maxSize": "1 kB"
     },
@@ -48,7 +48,7 @@
       "maxSize": "1 kB"
     },
     {
-      "//": "Bundled with Webpack (ESM)",
+      "//": "Bundled (ESM)",
       "path": "dist/esm/breach.js",
       "maxSize": "1 kB"
     },
@@ -70,7 +70,7 @@
     },
     {
       "path": "dist/esm/pwned-password.js",
-      "maxSize": "1 kB"
+      "maxSize": "1.1 kB"
     },
     {
       "path": "dist/esm/pwned-password-range.js",
diff --git a/.changeset/dry-beds-press.md b/.changeset/dry-beds-press.md
@@ -0,0 +1,5 @@
+---
+'hibp': minor
+---
+
+Drop `JSSHA` dependency in favor of a native Web Crypto API SHA-1 hashing implementation. This change reduces the size of the library by approximately 30%! 📉
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -81,7 +81,6 @@
     "node": ">= 18.0.0"
   },
   "dependencies": {
-    "jssha": "^3.3.1",
     "undici": "^6.14.1"
   },
   "devDependencies": {
diff --git a/src/pwned-password.ts b/src/pwned-password.ts
@@ -1,4 +1,3 @@
-import JSSHA from 'jssha/dist/sha1';
 import { pwnedPasswordRange } from './pwned-password-range.js';
 
 /**
@@ -56,13 +55,25 @@ export async function pwnedPassword(
     userAgent?: string;
   } = {},
 ): Promise<number> {
-  // @ts-expect-error: JSSHA types are busted
-  const sha1 = new JSSHA('SHA-1', 'TEXT');
-  sha1.update(password);
-  const hash = sha1.getHash('HEX', { outputUpper: true });
-  const prefix = hash.slice(0, 5);
-  const suffix = hash.slice(5);
-
+  const [prefix, suffix] = await getPasswordHashParts(password);
   const range = await pwnedPasswordRange(prefix, options);
   return range[suffix] || 0;
 }
+
+async function getPasswordHashParts(password: string) {
+  if (typeof crypto === 'object' && crypto.subtle) {
+    const msgUint8 = new TextEncoder().encode(password);
+    const hashBuffer = await crypto.subtle.digest('SHA-1', msgUint8);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    const hashHex = hashArray
+      .map((byte) => byte.toString(16).padStart(2, '0'))
+      .join('')
+      .toUpperCase();
+
+    return [hashHex.slice(0, 5), hashHex.slice(5)] as const;
+    /* c8 ignore start */
+  }
+
+  throw new Error('The Web Crypto API is not available in this environment.');
+}
+/* c8 ignore end */

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'hibp': minor
 +---
++
 +Drop `JSSHA` dependency in favor of a native Web Crypto API SHA-1 hashing implementation. This change reduces the size of the library by approximately 30%! 📉