Replace sha1 npm package with inline implementation (#1465)

Fixes #1464

The `sha1` npm package references `Buffer.isBuffer()` internally. Bundlers like webpack/Next.js see this and inject a **~28 KB Buffer polyfill** into every client page — even though the `Buffer` code path is never reached (we only hash short strings)

On top of that, `sha1` only ships CommonJS, forcing CJS interop on every bundler that consumes the ESM dist

- Remove `sha1` and `@types/sha1` dependencies
- Add a ~90-line inline SHA-1 (FIPS 180-4) that only handles UTF-8 strings — which is all the tracker needs
- Tests cover RFC 3174 vectors plus the actual domain-hash values to ensure identical output

- **-28 KB raw / ~7 KB gzipped** from every page for Next.js / webpack 5 users
- Eliminates the last CJS dependency in `browser-tracker-core`
- No API or behavioral changes

Author: jantimon

common/changes/@snowplow/browser-tracker-core/issue-1464-replace-sha1-buffer-polyfill_2026-03-29-16-18.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "comment": "Replace SHA1 buffer polyfill with lightweight implementation",
+      "type": "none",
+      "packageName": "@snowplow/browser-tracker-core"
+    }
+  ],
+  "packageName": "@snowplow/browser-tracker-core"
+}

common/config/rush/browser-approved-packages.json

@@ -222,10 +222,6 @@
       "name": "@types/react",
       "allowedCategories": [ "trackers" ]
     },
-    {
-      "name": "@types/sha1",
-      "allowedCategories": [ "libraries" ]
-    },
     {
       "name": "@types/sinon",
       "allowedCategories": [ "trackers" ]
@@ -430,10 +426,6 @@
       "name": "saucelabs",
       "allowedCategories": [ "trackers" ]
     },
-    {
-      "name": "sha1",
-      "allowedCategories": [ "libraries" ]
-    },
     {
       "name": "sinon",
       "allowedCategories": [ "trackers" ]

common/config/rush/pnpm-lock.yaml

@@ -1,5 +1,5 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "d3b2991182c4ca5879833e9c94d65eb10cb6c7f1",
+  "pnpmShrinkwrapHash": "7bfb995166f0ecc4b03f50797de4b75379120fb5",
   "preferredVersionsHash": "bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f"
 }

common/config/rush/repo-state.json

@@ -23,7 +23,6 @@
   },
   "dependencies": {
     "@snowplow/tracker-core": "workspace:*",
-    "sha1": "^1.1.1",
     "tslib": "^2.3.1",
     "uuid": "^10.0.0"
   },
@@ -33,7 +32,6 @@
     "@rollup/plugin-node-resolve": "~13.1.3",
     "@types/jest": "~28.1.1",
     "@types/jsdom": "~16.2.14",
-    "@types/sha1": "~1.1.3",
     "@types/uuid": "^10.0.0",
     "@typescript-eslint/eslint-plugin": "~5.15.0",
     "@typescript-eslint/parser": "~5.15.0",

libraries/browser-tracker-core/package.json

@@ -0,0 +1,98 @@
+/**
+ * Pure-JS SHA-1 implementation (FIPS 180-4).
+ * Replaces the `sha1` npm package to avoid pulling in a Node.js `Buffer`
+ * polyfill (~28 KB) when bundled for the browser.
+ */
+/** Compute SHA-1 hex digest of a UTF-8 string (FIPS 180-4). */
+export function sha1(message: string): string {
+  // Encode UTF-8
+  const bytes: number[] = [];
+  for (let i = 0; i < message.length; i++) {
+    let c = message.charCodeAt(i);
+    if (c < 0x80) {
+      bytes.push(c);
+    } else if (c < 0x800) {
+      bytes.push(0xc0 | (c >> 6), 0x80 | (c & 0x3f));
+    } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < message.length) {
+      const next = message.charCodeAt(++i);
+      c = 0x10000 + ((c & 0x3ff) << 10) + (next & 0x3ff);
+      bytes.push(0xf0 | (c >> 18), 0x80 | ((c >> 12) & 0x3f), 0x80 | ((c >> 6) & 0x3f), 0x80 | (c & 0x3f));
+    } else {
+      bytes.push(0xe0 | (c >> 12), 0x80 | ((c >> 6) & 0x3f), 0x80 | (c & 0x3f));
+    }
+  }
+
+  // Pre-processing: pad to 512-bit blocks
+  const bitLen = bytes.length * 8;
+  bytes.push(0x80);
+  while (bytes.length % 64 !== 56) bytes.push(0);
+  // Append length as 64-bit big-endian (high 32 bits always 0 for strings < 512 MB)
+  bytes.push(0, 0, 0, 0);
+  bytes.push((bitLen >>> 24) & 0xff, (bitLen >>> 16) & 0xff, (bitLen >>> 8) & 0xff, bitLen & 0xff);
+
+  // Initialize hash values
+  let h0 = 0x67452301;
+  let h1 = 0xefcdab89;
+  let h2 = 0x98badcfe;
+  let h3 = 0x10325476;
+  let h4 = 0xc3d2e1f0;
+
+  // Process each 512-bit block
+  const w = new Array<number>(80);
+  for (let offset = 0; offset < bytes.length; offset += 64) {
+    for (let i = 0; i < 16; i++) {
+      w[i] =
+        (bytes[offset + i * 4] << 24) |
+        (bytes[offset + i * 4 + 1] << 16) |
+        (bytes[offset + i * 4 + 2] << 8) |
+        bytes[offset + i * 4 + 3];
+    }
+    for (let i = 16; i < 80; i++) {
+      const n = w[i - 3] ^ w[i - 8] ^ w[i - 14] ^ w[i - 16];
+      w[i] = (n << 1) | (n >>> 31);
+    }
+
+    let a = h0,
+      b = h1,
+      c = h2,
+      d = h3,
+      e = h4;
+
+    for (let i = 0; i < 80; i++) {
+      let f: number, k: number;
+      if (i < 20) {
+        f = (b & c) | (~b & d);
+        k = 0x5a827999;
+      } else if (i < 40) {
+        f = b ^ c ^ d;
+        k = 0x6ed9eba1;
+      } else if (i < 60) {
+        f = (b & c) | (b & d) | (c & d);
+        k = 0x8f1bbcdc;
+      } else {
+        f = b ^ c ^ d;
+        k = 0xca62c1d6;
+      }
+      const temp = (((a << 5) | (a >>> 27)) + f + e + k + w[i]) | 0;
+      e = d;
+      d = c;
+      c = (b << 30) | (b >>> 2);
+      b = a;
+      a = temp;
+    }
+
+    h0 = (h0 + a) | 0;
+    h1 = (h1 + b) | 0;
+    h2 = (h2 + c) | 0;
+    h3 = (h3 + d) | 0;
+    h4 = (h4 + e) | 0;
+  }
+
+  // Produce hex digest
+  let hex = '';
+  for (const h of [h0, h1, h2, h3, h4]) {
+    const part = (h >>> 0).toString(16);
+    hex += (part.length < 8 ? '00000000'.slice(part.length) : '') + part;
+  }
+  return hex;
+}

libraries/browser-tracker-core/src/helpers/sha1.ts

@@ -7,7 +7,7 @@ import {
   SelfDescribingJson,
   LOG,
 } from '@snowplow/tracker-core';
-import hash from 'sha1';
+import { sha1 as hash } from '../helpers/sha1';
 import { v4 as uuid } from 'uuid';
 import {
   decorateQuerystring,

libraries/browser-tracker-core/src/tracker/index.ts

@@ -0,0 +1,37 @@
+import { sha1 } from '../../src/helpers/sha1';
+
+describe('sha1', () => {
+  // RFC 3174 test vectors
+  test('empty string', () => {
+    expect(sha1('')).toBe('da39a3ee5e6b4b0d3255bfef95601890afd80709');
+  });
+
+  test('"abc"', () => {
+    expect(sha1('abc')).toBe('a9993e364706816aba3e25717850c26c9cd0d89d');
+  });
+
+  test('"The quick brown fox jumps over the lazy dog"', () => {
+    expect(sha1('The quick brown fox jumps over the lazy dog')).toBe('2fd4e1c67a2d28fced849ee1bb76e7391b93eb12');
+  });
+
+  test('multi-block message', () => {
+    expect(sha1('abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq')).toBe(
+      '84983e441c3bd26ebaae4aa1f95129e5e54670f1'
+    );
+  });
+
+  // Domain hash use case — must match output of sha1 npm package v1.1.1
+  test('domain hash: "example.com/"', () => {
+    expect(sha1('example.com/')).toBe('880970443b82bdca0439e34c62e6c667277c2b39');
+    expect(sha1('example.com/').slice(0, 4)).toBe('8809');
+  });
+
+  test('domain hash: "localhost/"', () => {
+    expect(sha1('localhost/')).toBe('1fffd42e9a20211889ebfae87a84665b392c19a4');
+    expect(sha1('localhost/').slice(0, 4)).toBe('1fff');
+  });
+
+  test('returns 40-char lowercase hex string', () => {
+    expect(sha1('anything')).toMatch(/^[0-9a-f]{40}$/);
+  });
+});