Disallow usage of uniqid(), md5(), sha1(), crc32() and hash() with weak algorithms

Do we have existing instances that need replaced? How often do they appear if it warrants a rule?

The pipeline has failed due to a PHP linting error.

If you read the comments it was being discussed not for code review

I think this is a good idea for md5 and sha1, we should point users to sha256 or xxhash instead I guess? Not sure what to do about uniqid().

#3307718: Implement xxHash for non-cryptographic use-cases suggests replacing md5/sha1 with xxHash alternatives

Awesome to see this one come together. Replacements make sense and probably could spin up follow ups to do the replacements.

NW for merge conflict in phpstan baseline.

Thanks for working on this. Added a comment to the MR, as I think it is not a good idea to link to the Drupal 7 documentation. Also think we should add a CR for this (a similar from the past https://www.drupal.org/node/2833433). Moving to NW for this.

Feedback and CR look good

crc32 shouldn't use Crypt::hashBase64(), it should be replaced with xxHash, the other exclusions in the MR say this.

The errorTip links to the change record, but then the change record links back to the errorTip.

I am not sure we should duplicate documentation on e.g. https://xxhash.com/ but I think we probably need to say at least something like:

'Use a cryptographic hashing algorithm when appropriate. Use a fast, low collision, non-cryptographic algorithm when approprate (usually one of the xxHash variants), don't use weak cryptographic algorithms.'

Also while this will stop further cases being added to core, I'm a little bit concerned about committing it with the core usages not converted yet, because when we (hopefully) set a good example in core that's an easy place to follow and refer to.