From 855b031025a909f9e163eaa5f04df21450304b88 Mon Sep 17 00:00:00 2001
From: "Node.js GitHub Bot" <github-bot@iojs.org>
Date: Sun, 25 Jan 2026 14:26:00 +0000
Subject: [PATCH] feat: update gyp-next to v0.21.1

---
 gyp/.github/workflows/node-gyp.yml       | 12 +++---------
 gyp/.github/workflows/nodejs.yml         | 12 +++---------
 gyp/.github/workflows/python_tests.yml   |  2 +-
 gyp/.github/workflows/release-please.yml | 10 +++++-----
 gyp/.release-please-manifest.json        |  2 +-
 gyp/CHANGELOG.md                         |  7 +++++++
 gyp/pylib/gyp/MSVSNew.py                 |  6 +++---
 gyp/pylib/gyp/generator/make.py          |  2 +-
 gyp/pylib/gyp/generator/ninja.py         |  7 +++----
 gyp/pylib/gyp/xcodeproj_file.py          |  2 +-
 gyp/pyproject.toml                       |  2 +-
 11 files changed, 29 insertions(+), 35 deletions(-)

diff --git a/gyp/.github/workflows/node-gyp.yml b/gyp/.github/workflows/node-gyp.yml
index 2e592a6d38..016d2e0abc 100644
--- a/gyp/.github/workflows/node-gyp.yml
+++ b/gyp/.github/workflows/node-gyp.yml
@@ -11,27 +11,21 @@ jobs:
       matrix:
         os: [macos-latest, ubuntu-latest, windows-latest]
         python-version: ["3.10", "3.12", "3.14"]
-        exclude:
-          # Windows on Python 3.14 is blocked by nodejs/node#59983
-          - os: windows-latest
-            python-version: "3.14"
         include:
-          - os: windows-latest  # Windows on Python 3.13 instead of 3.14
-            python-version: "3.13"
           - os: macos-15-intel  # macOS on Intel
             python-version: "3.14"
           - os: ubuntu-24.04-arm  # Ubuntu on ARM
             python-version: "3.14"
           - os: windows-11-arm  # Windows on ARM
-            python-version: "3.13"  # Windows on Python 3.13 instead of 3.14
+            python-version: "3.14"
     runs-on: ${{ matrix.os }}
     steps:
       - name: Clone gyp-next
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           path: gyp-next
       - name: Clone nodejs/node-gyp
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: nodejs/node-gyp
           path: node-gyp
diff --git a/gyp/.github/workflows/nodejs.yml b/gyp/.github/workflows/nodejs.yml
index e73e5bd06b..c88fe7bcf2 100644
--- a/gyp/.github/workflows/nodejs.yml
+++ b/gyp/.github/workflows/nodejs.yml
@@ -11,28 +11,22 @@ jobs:
       matrix:
         os: [macos-latest, ubuntu-latest, windows-latest]
         python-version: ["3.10", "3.12", "3.14"]
-        exclude:
-          # Windows on Python 3.14 is blocked by nodejs/node#59983
-          - os: windows-latest
-            python-version: "3.14"
         include:
-          - os: windows-latest  # Windows on Python 3.13 instead of 3.14
-            python-version: "3.13"
           - os: macos-15-intel  # macOS on Intel
             python-version: "3.14"
           - os: ubuntu-24.04-arm  # Ubuntu on ARM
             python-version: "3.14"
           - os: windows-11-arm  # Windows on ARM
-            python-version: "3.13"  # Windows on Python 3.13 instead of 3.14
+            python-version: "3.14"
 
     runs-on: ${{ matrix.os }}
     steps:
       - name: Clone gyp-next
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           path: gyp-next
       - name: Clone nodejs/node
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: nodejs/node
           path: node
diff --git a/gyp/.github/workflows/python_tests.yml b/gyp/.github/workflows/python_tests.yml
index 72dfd58536..812d32d7f7 100644
--- a/gyp/.github/workflows/python_tests.yml
+++ b/gyp/.github/workflows/python_tests.yml
@@ -20,7 +20,7 @@ jobs:
           - os: macos-26
             python-version: 3.x
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
         with:
diff --git a/gyp/.github/workflows/release-please.yml b/gyp/.github/workflows/release-please.yml
index 6a18003c79..81f8626c77 100644
--- a/gyp/.github/workflows/release-please.yml
+++ b/gyp/.github/workflows/release-please.yml
@@ -24,11 +24,11 @@ jobs:
     if: ${{ needs.release-please.outputs.release_created }}  # only publish on release
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Build a binary wheel and a source tarball
       run: pipx run build
     - name: Store the distribution packages
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: python-package-distributions
         path: dist/
@@ -48,7 +48,7 @@ jobs:
       id-token: write # IMPORTANT: mandatory for trusted publishing
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@v7
       with:
         name: python-package-distributions
         path: dist/
@@ -68,12 +68,12 @@ jobs:
       id-token: write # IMPORTANT: mandatory for sigstore
     steps:
     - name: Download all the dists
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@v7
       with:
         name: python-package-distributions
         path: dist/
     - name: Sign the dists with Sigstore
-      uses: sigstore/gh-action-sigstore-python@v3.1.0
+      uses: sigstore/gh-action-sigstore-python@v3.2.0
       with:
         inputs: >-
           ./dist/*.tar.gz
diff --git a/gyp/.release-please-manifest.json b/gyp/.release-please-manifest.json
index ca64307ab8..c825abab69 100644
--- a/gyp/.release-please-manifest.json
+++ b/gyp/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-    ".": "0.21.0"
+    ".": "0.21.1"
 }
diff --git a/gyp/CHANGELOG.md b/gyp/CHANGELOG.md
index 31f4d25874..9a14685447 100644
--- a/gyp/CHANGELOG.md
+++ b/gyp/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.21.1](https://github.com/nodejs/gyp-next/compare/v0.21.0...v0.21.1) (2026-01-24)
+
+
+### Bug Fixes
+
+* replace weak hash functions with SHA-256 ([#329](https://github.com/nodejs/gyp-next/issues/329)) ([958029e](https://github.com/nodejs/gyp-next/commit/958029e6e4969a871d15e78cd083bb102bebb381))
+
 ## [0.21.0](https://github.com/nodejs/gyp-next/compare/v0.20.5...v0.21.0) (2025-11-04)
 
 
diff --git a/gyp/pylib/gyp/MSVSNew.py b/gyp/pylib/gyp/MSVSNew.py
index f8e4993d94..9149f404a5 100644
--- a/gyp/pylib/gyp/MSVSNew.py
+++ b/gyp/pylib/gyp/MSVSNew.py
@@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"):
 
     Args:
       name: Target name.
-      seed: Seed for MD5 hash.
+      seed: Seed for SHA-256 hash.
     Returns:
       A GUID-line string calculated from the name and seed.
 
@@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"):
     determine the GUID to refer to explicitly.  It also means that the GUID will
     not change when the project for a target is rebuilt.
     """
-    # Calculate a MD5 signature for the seed and name.
-    d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
+    # Calculate a SHA-256 signature for the seed and name.
+    d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
     # Convert most of the signature to GUID form (discard the rest)
     guid = (
         "{"
diff --git a/gyp/pylib/gyp/generator/make.py b/gyp/pylib/gyp/generator/make.py
index 5f30f39fc5..16b6f4e80b 100644
--- a/gyp/pylib/gyp/generator/make.py
+++ b/gyp/pylib/gyp/generator/make.py
@@ -2169,7 +2169,7 @@ def WriteMakeRule(
             # - The multi-output rule will have an do-nothing recipe.
 
             # Hash the target name to avoid generating overlong filenames.
-            cmddigest = hashlib.sha1(
+            cmddigest = hashlib.sha256(
                 (command or self.target).encode("utf-8")
             ).hexdigest()
             intermediate = "%s.intermediate" % cmddigest
diff --git a/gyp/pylib/gyp/generator/ninja.py b/gyp/pylib/gyp/generator/ninja.py
index bc9ddd2654..4eac6cdb27 100644
--- a/gyp/pylib/gyp/generator/ninja.py
+++ b/gyp/pylib/gyp/generator/ninja.py
@@ -809,9 +809,8 @@ def cygwin_munge(path):
                 outputs = [self.GypPathToNinja(o, env) for o in outputs]
                 if self.flavor == "win":
                     # WriteNewNinjaRule uses unique_name to create a rsp file on win.
-                    extra_bindings.append(
-                        ("unique_name", hashlib.md5(outputs[0]).hexdigest())
-                    )
+                    unique_name = hashlib.sha256(outputs[0].encode("utf-8")).hexdigest()
+                    extra_bindings.append(("unique_name", unique_name))
 
                 self.ninja.build(
                     outputs,
@@ -2803,7 +2802,7 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params, config_name
             build_file, name, toolset
         )
         qualified_target_for_hash = qualified_target_for_hash.encode("utf-8")
-        hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest()
+        hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest()
 
         base_path = os.path.dirname(build_file)
         obj = "obj"
diff --git a/gyp/pylib/gyp/xcodeproj_file.py b/gyp/pylib/gyp/xcodeproj_file.py
index cb467470d3..2004518dcb 100644
--- a/gyp/pylib/gyp/xcodeproj_file.py
+++ b/gyp/pylib/gyp/xcodeproj_file.py
@@ -429,7 +429,7 @@ def _HashUpdate(hash, data):
             hash.update(data)
 
         if seed_hash is None:
-            seed_hash = hashlib.sha1()
+            seed_hash = hashlib.sha256()
 
         hash = seed_hash.copy()
 
diff --git a/gyp/pyproject.toml b/gyp/pyproject.toml
index cd4f0383fd..fa30c8cf96 100644
--- a/gyp/pyproject.toml
+++ b/gyp/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "gyp-next"
-version = "0.21.0"
+version = "0.21.1"
 authors = [
   { name="Node.js contributors", email="ryzokuken@disroot.org" },
 ]