Webpack hashing problems after Mastodon server update
I just updated my Mastodon server to the latest version due to a security vulnerability. I got a 500 page and error:0308010C:digital envelope routines::unsupported
in the logs from mastodon-web.
I could reproduce by running bin/webpack from the command line. Some searching led me to try Node 16 LTS, but then I get an apparently blank page when I load the site and call to eval() blocked by CSP
in the browser console.
The API works normally; this only affects the website.
Solved-ish.
I got webpack to run reliably by replacing its use of md4 with sha256 in these files:
then in `config/initializers/content_security_policy.rb', I replaced the line
.script_src :self, assets_host, "'wasm-unsafe-eval'"
with
p.script_src :self, assets_host, "'wasm-unsafe-eval' 'unsafe-eval'"
This seems like way more tinkering with the code and defaults than I should need to keep the server running so I'll probably dig more later. I hope this post ends up being useful to anyone else having an issue.
Md4.....? Uh, even MD5 has been considered bad for literally decades