Truncated hash functions are not vulnerable to length-extension attacks. But you usually take SHA512 and truncate to 256 bits. Anything shorter than this isn't really considered safe these days.

Sometimes it’s done to fit into an existing tool/database that has a preexisting limit. Or when the hash is used only as a locator rather than for integrity.

Not a good practice imo but people are pragmatic.

According to the commit, they did it to reduce the length of the downloaded filename and URL.

For when you need a smaller payload:

    According to @Reid's answer in [2] and @ThomasPornin's answer in [3], the idea of truncating hashes is fully supported by NIST, in fact SHA-224 is just SHA-256 truncated, SHA-384 is just SHA-512 truncated, etc.

https://security.stackexchange.com/a/97389

when you upgrade from sha1 to sha256 but you don't want to change your data format for storing the integrity checks / keys.

A SHA-1 is not 12 characters (either in digest bytes or hex nibbles)