That's not hash collision, that's hash preimage attack.
If you can perform hash preimage attack, then faking a JS library is aiming really low.
• You could forge any SSL certificate.
• You could forge any PGP/GPG message (public key crypto is not applied to whole messages, only hashes of them, same with certs).
• You could maliciously modify Git repositories, even those with GPG signed releases like the Linux kernel.
• You could inject malware into any package repository, MITM software updates for all OSes, etc.
Basically security of the entire Internet and all secure software distribution depends on the fact that preimage attack against crypto hashes is impossible (i.e. time and/or energy required to perform a brute-force attack is literally astronomical).
If you can perform hash preimage attack, then faking a JS library is aiming really low.
• You could forge any SSL certificate.
• You could forge any PGP/GPG message (public key crypto is not applied to whole messages, only hashes of them, same with certs).
• You could maliciously modify Git repositories, even those with GPG signed releases like the Linux kernel.
• You could inject malware into any package repository, MITM software updates for all OSes, etc.
Basically security of the entire Internet and all secure software distribution depends on the fact that preimage attack against crypto hashes is impossible (i.e. time and/or energy required to perform a brute-force attack is literally astronomical).