Update evidently hashlib usage for FIPS-Compliant Systems and Security Best Practices

[DueViktor]

From python 3.9 hashlib introduced the usedforsecurity argument:

Changed in version 3.9: All hashlib constructors take a keyword-only argument usedforsecurity with default value True. A false value allows the use of insecure and blocked hashing algorithms in restricted environments. False indicates that the hashing algorithm is not used in a security context, e.g. as a non-cryptographic one-way compression function.

evidently use hashing where the purpose is indeed not for security purposes. This should be specifed in the code. My guess is that pretty much all federal systems in the world would have this issue.

Federal Information Processing Standards (FIPS) 140-2 is a mandatory standard for the protection of sensitive or valuable data within Federal systems. - https://www.wolfssl.com/license/fips/

Without this fix organisations following certain security standard (FIPS compliance could be an example) are not able to use this package.

The same fix has been applied to a range of key repositories:

• Update Streamlit hashlib usage for FIPS-Compliant Systems and Security Best Practices streamlit/streamlit#7120
• [FR] Extend previous work on FIPS compliance mlflow/mlflow#10106
• Hashlib usage is underspecified huggingface/transformers#27034
• [Feature Request]: Adding FIPS compliance chroma-core/chroma#1672

Proposed solution

• Explicitly set usedforsecurity=False when calling hashlib constructors where the hashing is not security-related.
• Since usedforsecurity is only available from Python 3.9 onwards and evidently supports Python 3.8+, implement logic to handle this difference:
  • For Python 3.8: Call hashlib without usedforsecurity.
  • For Python 3.9+: Specify usedforsecurity=False.

I will submit a PR implementing this change. Let me know if there are other concerns or suggestions for handling this!