Jujutsu does not have SHA-1 collision detection
Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks.
Advisories for Cargo/Jj-Cli package
2025