Webpack build failing with ERR_OSSL_EVP_UNSUPPORTED

Question

I'm having an issue with a Webpack build process that suddenly broke, resulting in the following error...

<s> [webpack.Progress] 10% building 0/1 entries 0/0 dependencies 0/0 modules
node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at BulkUpdateDecorator.hashFactory (/app/node_modules/webpack/lib/util/createHash.js:155:18)
    at BulkUpdateDecorator.update (/app/node_modules/webpack/lib/util/createHash.js:46:50)
    at OriginalSource.updateHash (/app/node_modules/webpack-sources/lib/OriginalSource.js:131:8)
    at NormalModule._initBuildHash (/app/node_modules/webpack/lib/NormalModule.js:888:17)
    at handleParseResult (/app/node_modules/webpack/lib/NormalModule.js:954:10)
    at /app/node_modules/webpack/lib/NormalModule.js:1048:4
    at processResult (/app/node_modules/webpack/lib/NormalModule.js:763:11)
    at /app/node_modules/webpack/lib/NormalModule.js:827:5 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
command terminated with exit code 1

I've tried googling ERR_OSSL_EVP_UNSUPPORTED webpack which yielded almost no useful results, but it did highlight an issue using MD4 as provided by OpenSSL (which is apparently deprecated?) to generate hashes.

The webpack.config.js code is as follows:

const path = require('path');
const webpack = require('webpack');

/*
 * SplitChunksPlugin is enabled by default and replaced
 * deprecated CommonsChunkPlugin. It automatically identifies modules which
 * should be splitted of chunk by heuristics using module duplication count and
 * module category (i. e. node_modules). And splits the chunks…
 *
 * It is safe to remove "splitChunks" from the generated configuration
 * and was added as an educational example.
 *
 * https://webpack.js.org/plugins/split-chunks-plugin/
 *
 */

/*
 * We've enabled TerserPlugin for you! This minifies your app
 * in order to load faster and run less javascript.
 *
 * https://github.com/webpack-contrib/terser-webpack-plugin
 *
 */

const TerserPlugin = require('terser-webpack-plugin');

module.exports = {
    mode: 'development',
    entry: './src/js/scripts.js',

    output: {
        path: path.resolve(__dirname, 'js'),
        filename: 'scripts.js'
    },

    devtool: 'source-map',

    plugins: [new webpack.ProgressPlugin()],

    module: {
        rules: []
    },

    optimization: {
        minimizer: [new TerserPlugin()],

        splitChunks: {
            cacheGroups: {
                vendors: {
                    priority: -10,
                    test: /[\\/]node_modules[\\/]/
                }
            },

            chunks: 'async',
            minChunks: 1,
            minSize: 30000,
            name: 'true'
        }
    }
};

How do I change the hashing algorithm used by Webpack to something else?

https://github.com/facebook/create-react-app/issues/11562 has the details, why to downgrade NodeJs to v16.13.0 — Abhinav Saxena, Dec 21 '21 at 08:37
install nvm then check your node version use nvm list to check your node versions then nvm use (node version) — Majdi Mohammad, Dec 31 '22 at 19:45

score 629 · Answer 1 · edited Jan 04 '22 at 21:32

629

I was able to fix it via:

export NODE_OPTIONS=--openssl-legacy-provider

sachaw's comment to Node.js v17.0.0 - Error starting project in development mode #30078

But they say they fixed it: ijjk's comment to Node.js v17.0.0 - Error starting project in development mode #30078:

Hi, this has been updated in v11.1.3-canary.89 of Next.js, please update and give it a try!

For me, it worked only with the annotation above.

I also want to point out that npm run start works with -openssl-legacy-provider, but npm run dev won't.

It seems that there is a patch: Node.js 17: digital envelope routines::unsupported #14532

I personally downgraded to 16-alpine.

edited Jan 04 '22 at 21:32

Peter Mortensen

30,738
21
105
131

answered Oct 28 '21 at 00:27

Jan

12,992
9
53
89

it work ! export NODE_OPTIONS=--openssl-legacy-provider – user9681090 Nov 10 '21 at 07:35
68

PowerShell: `$env:NODE_OPTIONS="--openssl-legacy-provider"` – Hex Jan 10 '22 at 12:22
Where do you put: ```export NODE_OPTIONS=--openssl-legacy-provider```? – Harlin Jan 29 '22 at 19:03
9

before you run your server: `"scripts": { "debug": "NODE_OPTIONS='--openssl-legacy-provider' next dev -p 5000"` – Jan Jan 30 '22 at 00:31
1

This worked for me! Downgrading node did not work for me. – Quinten C Feb 08 '22 at 12:56
12

You can run all at once: `NODE_OPTIONS=--openssl-legacy-provider npm start` – Seralto Feb 10 '22 at 12:59
It works for me in ubuntu 22.04 , rvm_ruby_version 3.0.1 – Raksha Saini May 06 '22 at 10:55
9

Doesn't work with node `v16.14.0` for me on Fedora 36: `node: --openssl-legacy-provider is not allowed in NODE_OPTIONS` – Jasper Siepkes Jun 01 '22 at 08:43
1

@JasperSiepkes you need to use node 17 or newer. On fedora, you can install it using modules https://docs.fedoraproject.org/en-US/modularity/using-modules/ – cascading-jox Jul 27 '22 at 10:26
fixed the issue – Ayaz Ahmad Tarar Oct 26 '22 at 21:05
This woked for me NODE_OPTIONS=--openssl-legacy-provider npm run serve – Joel Enanod Jr Nov 10 '22 at 06:42
added to windows environment variables and it helped for v18.12.1. Thanks) – roma2341 Dec 08 '22 at 19:49
1

On windows with react, edit package.json ```json { "scripts": { "start": "set \"NODE_OPTIONS=--openssl-legacy-provider\" && react-scripts start"}} ``` – pushStack May 01 '23 at 12:05
`start: "cross-env NODE_OPTIONS=\" --openssl-legacy-provider\" npm start" ` – Sumit Ramteke May 19 '23 at 03:43
You can add this to ~/.zshrc on mac and it will run every time you run npm start – Digglit Jun 07 '23 at 01:27
1

All these solutions regarding downgrading or using unsafe options are hacky... 16 is out of LTS in a month and Node 18 will not support these strategies (even if they do work) they should be strongly discouraged given that they're making your app more vulnerable per OpenSSL's definitions. – Zargold Jul 28 '23 at 16:18

score 178 · Answer 2 · edited Jan 04 '22 at 20:21

178

I had this problem too. I'd accidentally been running on the latest Node.js (17.0 at time of writing), not the LTS version (14.18) which I'd meant to install. Downgrading my Node.js install to the LTS version fixed the problem for me.

edited Jan 04 '22 at 20:21

Peter Mortensen

30,738
21
105
131

answered Oct 19 '21 at 20:05

Benjamin Hodgson

42,952
15
108
157

21

Same here. Downgrading to 16.x worked as well. Its LTS start in a week (2021-10-26) according to https://nodejs.org/en/about/releases/ so I went for that. – Gustav Oct 20 '21 at 07:33
3

I am having this problem with v16.13.0. – Trip Nov 11 '21 at 22:35
Thanks. It worked here. I used 'asdf' to run the LTS version locally inside the project. – Caleb Santos Nov 19 '21 at 20:14
https://github.com/facebook/create-react-app/issues/11562 has the details, why to downgrade NodeJs to v16.13.0 – Abhinav Saxena Dec 21 '21 at 08:37
@Trip check your package.json for ReactNative. Ask a question. – Abhinav Saxena Dec 21 '21 at 08:51
@AbhinavSaxena We do not use React, and ReactNative does not appear anywhere in our package-lock.json. – Trip Dec 21 '21 at 17:11
@Trip Okay, [Note: it's package.json and not package-lock.json] I used this solution for ReactNative and saw that it favoured people using ReactJS (web development) as well, so I was curious. I think you can ask a separate question specifying the platform you are using. – Abhinav Saxena Dec 21 '21 at 17:17
6

Confirm downgrade from v17.2.0 to v16.13.1 is working fine – Mauzzz0 Jan 17 '22 at 10:47
Confirm - downgrading Node solved the issue. – Luca Filip Apr 12 '22 at 09:55
3

Thanks. Node Version Manager via [nvm](https://github.com/nvm-sh/nvm) or [nvm-windows](https://github.com/coreybutler/nvm-windows) works excellent for switching effortlessly between versions – tno2007 Jun 28 '22 at 10:39
1

Before following suggestions that open your app to security vulnerabilities, please see answer to same question here: https://stackoverflow.com/a/73027407/1072629 In the best world scenario, find the right fix for the issue instead of hacking in a solution. It may work, but that doesnt mean it is right – Justin Greywolf Mar 23 '23 at 12:36
You saved my day, after uninstall Nodejs and intall nodejs LTS + npm update in console visual studio it's perfectly worked :D – BoBiTza Jun 08 '23 at 08:40

score 61 · Answer 3 · edited Jan 04 '22 at 20:17

61

There is a hashing algorithm that comes with Webpack v5.54.0+ that does not rely on OpenSSL.

To use this hash function that relies on a npm-provided dependency instead of an operating system-provided dependency, modify the webpack.config.cjs output key to include the hashFunction: "xxhash64" option.

module.exports = {
    output: {
        hashFunction: "xxhash64"
    }
};

edited Jan 04 '22 at 20:17

Peter Mortensen

30,738
21
105
131

answered Sep 30 '21 at 15:17

Ryan Brownell

5,121
2
5
9

24

I'm getting `Error: Digest method not supported` – Jack Feb 20 '22 at 04:26
4

agree. webpack upgrade fixed the issue for me. I was using react 17, then upgraded to react 18 which did bring me webpack 5.74.0 => problem solved. – tswaehn Jul 25 '22 at 10:39
1

If you still get this error on webpack 5.54+ and node 17+, look at your stack trace. In my case, `babel-loader: 8.2.2` was also using a deprecated hashing function. Upgrading to `babel-loader: 8.3.0` fixed the issue. – bendytree Jan 24 '23 at 17:18
I had the same scenario as @bendytree. Turns out I didn't even need to use the `hashFunction` webpack configuration at all. Upgrading to `babel-loader: 8.3.0` solved the issue. Looks like it was actually fixed in 8.2.4: https://github.com/babel/babel-loader/releases/tag/v8.2.4. – Eli Dupuis Mar 22 '23 at 20:47
xxhash64 is also now gone... you can try a different variant of this by switching hashFunction to: "sha256"... but I still had issues in the next layer down (possibly because of harcoded usage of md4). – Zargold Jul 28 '23 at 16:14

score 61 · Answer 4 · edited Aug 10 '23 at 15:32

61

It is not my answer really, but I found this workaround /hack/ to fix my problem Code Check in for a GitHub project... see the bug comments here.

I ran into ERR_OSSL_EVP_UNSUPPORTED after updating with npm install.

I added the following to node_modules\react-scripts\config\webpack.config.js

const crypto = require("crypto");
const crypto_orig_createHash = crypto.createHash;
crypto.createHash = algorithm => crypto_orig_createHash(algorithm == "md4" ? "sha256" : algorithm);

I tried Ryan Brownell's solution and ended up with a different error, but this worked...

Typescript equivalent:

import crypto from "crypto";

const crypto_orig_createHash = crypto.createHash;
Object.assign(crypto, {
  createHash: (algorithm: string): crypto.Hash => crypto_orig_createHash(algorithm === "md4" ? "sha256" : algorithm),
});

edited Aug 10 '23 at 15:32

zastrowm

8,017
3
43
63

answered Oct 23 '21 at 19:51

Cheshiremoe

792
1
5
14

1

This worked fine for me in Webpack4. I'm bouncing between 12LTS / 17 and this is a big time saver. – Daniel B. Chapman Oct 23 '21 at 23:34
2

This should be the accepted answer in 2021. Thank you for describing the folder location of the file as well. It solved my issue. I had previously tried the solution that exports variables to the environment and it caused VSCode to no longer load. So this solves it without globally compromising other programs. – Terry Nov 05 '21 at 15:57
So we have to add the code when `react-scripts` - now 3.0.1 or 3.4.4 - gets a newer Version? – Timo Jan 09 '23 at 13:00
It's also working in the app's own config/webpack.config.js file, so great solution! – szabozoltan Feb 21 '23 at 08:20
Finally a solution that actually works, doesn't leave us vulnerable, and doesn't assume a specific project setup (this can go in the main projects config file). Thank you! – Pluckerpluck Aug 30 '23 at 13:24

jbg · Answer 5 · 2022-01-05T04:02:10.177

Ryan Brownell's answer is the ideal solution if you are using Webpack v5.54.0+.

If you're using an older version of Webpack, you can still solve this by changing the hash function to one that is not deprecated. (It defaults to the ancient md4, which OpenSSL has removed support for, which is the root cause of the error.) The supported algorithms are any supported by crypto.createHash. For example, to use SHA-256:

module.exports = {
    output: {
        hashFunction: "sha256"
    }
};

Finally, if you are unable to change the Webpack configuration (e.g., if it's a transitive dependency which is running Webpack), you can enable OpenSSL's legacy provider to temporarily enable MD4 during the Webpack build. This is a last resort. Create a file openssl.cnf with this content…

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

…and then set the environment variable OPENSSL_CONF to the path to that file when running Webpack.

Turns out that the `hashFunction` fix can help. but it might be insufficient: the ConcatenatedModule optimizer in Webpack 4.x [hardcodes the use of MD4](https://github.com/webpack/webpack/blob/3956274f1eada621e105208dcab4608883cdfdb2/lib/optimize/ConcatenatedModule.js#L563), so if your build process uses it, you might need to go the `openssl.cnf` route. I think this might be the general case for Vue CLI 4.x projects. — Peter, Oct 21 '21 at 15:23

score 25 · Answer 6 · edited Jan 04 '22 at 20:22

25

This error is mentioned in the release notes for Node.js 17.0.0, with a suggested workaround:

If you hit an ERR_OSSL_EVP_UNSUPPORTED error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, --openssl-legacy-provider, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions.

edited Jan 04 '22 at 20:22

Peter Mortensen

30,738
21
105
131

answered Oct 22 '21 at 06:53

Patrik Erdes

377
2
6

3

I didnt work here. :( --openssl-legacy-provider is not allowed in NODE_OPTIONS – Cesarvspr Jun 27 '22 at 16:04
4

@Cesarvspr you have to add it to the env var, not as an argument to `npm` command. `NODE_OPTIONS='--openssl-legacy-provider' npm run build` – Cristian Nov 03 '22 at 07:41
Thanks, you are right. I figured this out after some research – Cesarvspr Nov 03 '22 at 15:29

score 22 · Answer 7 · edited Jan 04 '22 at 21:44

I ran into this issue using Laravel Mix (Webpack) and was able to fix it within file package.json by adding in the NODE_OPTIONS=--openssl-legacy-provider (referenced in Jan's answer) to the beginning of the script:

package.json:

{
  "private": true,
  "scripts": {
    "production": "cross-env NODE_ENV=production NODE_OPTIONS=--openssl-legacy-provider  node_modules/webpack/bin/webpack.js --progress --hide-modules --config=node_modules/laravel-mix/setup/webpack.config.js"
  },
  "dependencies": {
    ...
  }
}

score 20 · Answer 8 · edited Aug 18 '22 at 02:30

20

I faced the same challenge, but you just need to downgrade Node.js to version 16.13 and everything works well. Download LTS, not the current on Downloads.

edited Aug 18 '22 at 02:30

Peter Mortensen

30,738
21
105
131

answered Oct 26 '21 at 19:28

grace mutore

201
1
2

1

This works.. I just used 'n' to update to lts and it started working for me – Hrithik Tiwari Oct 08 '22 at 11:03
Worked for 16.20.0 LTS for my Angular project. :) – Naveen Kumar V Jun 14 '23 at 09:23

score 20 · Answer 9 · edited Jan 04 '22 at 21:46

20

Try upgrading your Webpack version to 5.62.2.

edited Jan 04 '22 at 21:46

Peter Mortensen

30,738
21
105
131

answered Nov 09 '21 at 12:27

Ashiq Mohamed

201
1
2

This should be accepted, upgrading WebPack solved the issue for me. Thanks!! – 7FigureSwagger Jan 11 '22 at 01:05
1

I'm on webpack 5.81.0, still have this issue – cdalxndr Apr 27 '23 at 15:24

score 11 · Answer 10 · edited Jan 04 '22 at 21:41

11

I had the same problem with my Vue.js project and I solved it.

macOS and Linux

You should have installed NVM (Node Version Manager). If you never had before, just run this command in your terminal:

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash

Open your project
Open the terminal in your project
Run the command nvm install 16.13.0 or any older version
After the installation is completed, run nvm use 16.13.0

edited Jan 04 '22 at 21:41

Peter Mortensen

30,738
21
105
131

answered Oct 30 '21 at 08:46

developer1996

827
2
14
26

6

This is not a solution to the problem, just a workaround. – emendelski Jan 05 '22 at 23:04
@emendelski Then, whats the solution? – Narendra Singh Jun 14 '22 at 10:07
Check all the other answers: https://stackoverflow.com/a/69746937/3585513, https://stackoverflow.com/a/69476335/3585513. – emendelski Jun 15 '22 at 11:07

score 11 · Answer 11 · edited Jan 04 '22 at 21:48

11

I faced the same problem in a project I developed with Next.js. For the solution, I ran the project as follows and I solved the problem.

cross-env NODE_OPTIONS='--openssl-legacy-provider' next dev

edited Jan 04 '22 at 21:48

Peter Mortensen

30,738
21
105
131

answered Nov 09 '21 at 12:52

Deniz Dizi

119
2

For those using Vue 2 you can simply add `NODE_OPTIONS='--openssl-legacy-provider'` don't include `cross-env` – JPilson Sep 29 '22 at 09:30

score 3 · Answer 12 · edited Jan 04 '22 at 21:49

3

This means that you have the latest Node.js version. If you are using it for Docker then you need to change the image from

FROM node

to

FROM node:14

edited Jan 04 '22 at 21:49

Peter Mortensen

30,738
21
105
131

answered Nov 17 '21 at 07:45

abdullah gharbain

165
5

5

downgrading whole node shouldnt be considered as good practice – Imants Volkovs Feb 08 '23 at 09:11
With Node Version Manager (nvm) globally installed try $ nvm use 14 – Liam Hogan May 31 '23 at 23:25

Webpack build failing with ERR_OSSL_EVP_UNSUPPORTED

12 Answers12

macOS and Linux

Linked

Related