nuxt: Nuxt2 default setup doesn't work with latest node LTS version 18.12.1
The default Nuxt2 project setup runs into an error Error: error:0308010C:digital envelope routines::unsupported when starting the development environment (yarn dev) using node v18.12.1.
Reason For The Error In Node.js v17, the Node.js developers closed a security hole in the SSL provider. This fix was a breaking change that corresponded with similar breaking changes in the SSL packages in NPM. Webpack 4.46.0 (a module currently used by nuxt2 for serving) is using a deprecated hashing algorithm
md4for it’s SSL encryption, which I assume was patched out in Node.js v17.
⚠️ DANGER
Almost all threads found online regarding this issue are suggesting to either downgrade Node.js to pre v17 or to use the legacy SSL provider. Both of those solutions are hacks that leave your builds open to security threats.
This is a big issue because the prerequisites in the current nuxt installation guide are telling newcomers to get the latest node LTS version, which is currently 18.12.1. Googling the error message (which they will definitely get) will lead them to either set NODE_OPTIONS=--openssl-legacy-provider or downgrade Node.js to pre v17.
Versions
- nuxt: v2.15.8
- node: v18.12.1
Reproduction
GitHub repository: https://github.com/michael-pfister/nuxt2-node-demonstrations
Additional Details
Make sure you have the currently latest node LTS version (v18.12.1) installed before running any build commands.
Steps to reproduce
# clone git repository
$ git clone https://github.com/michael-pfister/nuxt2-node-demonstrations
# cd into the repository
$ cd nuxt2-node-demonstrations
# install dependencies
$ yarn install
# serve with hot reload at localhost:3000
$ yarn dev
What is Expected?
The Nuxt2 default setup, which newcomers install using yarn create nuxt-app <project-name> after getting the latest node LTS version as mentioned in the prerequisites should work without throwing an error, that is leading them to implement a potential security risk.
What is actually happening?
node:internal/crypto/hash:71
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:71:19)
at Object.createHash (node:crypto:133:10)
at module.exports (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\webpack\lib\util\createHash.js:135:53)
at NormalModule._initBuildHash (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\webpack\lib\NormalModule.js:417:16)
at handleParseError (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\webpack\lib\NormalModule.js:471:10)
at C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\webpack\lib\NormalModule.js:503:5
at C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\webpack\lib\NormalModule.js:358:12
at C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\loader-runner\lib\LoaderRunner.js:373:3
at iterateNormalLoaders (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\loader-runner\lib\LoaderRunner.js:214:10)
at Array.<anonymous> (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\loader-runner\lib\LoaderRunner.js:205:4)
at Storage.finished (C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\enhanced-resolve\lib\CachedInputFileSystem.js:55:16)
at C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\enhanced-resolve\lib\CachedInputFileSystem.js:91:9
at C:\Users\admin\Desktop\nuxt2-node-demonstrations\node_modules\graceful-fs\graceful-fs.js:123:16
at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3) {
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15 (4 by maintainers)
Commits related to this issue
- fix: use openssl-legacy-provider See: https://github.com/nuxt/nuxt.js/issues/10844 It does not seem to be a security issue. The problem is well known by the maintainers and not fixed as of now. — committed to schaefer-development/werkhof-ichen by roschaefer 2 years ago
- Add node v16 dependency info (#356) see https://github.com/nuxt/nuxt/issues/10844 — committed to neurobagel/annotation_tool by surchs a year ago
- Adding note on node v16 dependency (#45) https://github.com/nuxt/nuxt/issues/10844 — committed to neurobagel/old-query-tool by surchs a year ago
- fix: pin ci to node v16 (#348) Something is going wrong with Nuxt and Node 18. See https://github.com/nuxt/nuxt/pull/19108 and https://github.com/nuxt/nuxt/issues/10844 — committed to SpaceCowMedia/commander-spellbook-site by crookedneighbor a year ago
Oh, this issue should be closed. This issue is resolved in v2.16.2.
To be clear, the reason you’re not able to build is that webpack 4, which is used by Nuxt 2, depends on that algorithm for hashing build outputs. But that is a build-time dependency, not a runtime dependency. Nor is it a security risk at build time, as what is being hashed is just the content of the generated files…
More importantly, this is not a vulnerablity in a deployed nuxt site. Once built, a nuxt server can run on node 18 just fine as it has no ongoing dependency on webpack.
That said, if there is an issue on node v18, we do need to update our docs to indicate preferred installation in node 16 for now, which will not release EOL until 2023-09-11, and also consider other options.
Same issue here: Node 18, Nuxt 2.17.2 Webpack 4.47.0
Downgrading to nuxt 2.17.1 fixes the issue
Appears to be re-introduced in 2.17.2.
The same build worked with 2.17.1 but does not with 2.17.2 anymore,
Error: error:0308010C:digital envelope routines::unsupportedis happening again.Node 18.16.1
Thanks for the fast response!
I verified that we (@hokify) have webpack 4.47.0 in use, the latest version.
But I noticed that the error message is coming from
compression-webpack-plugincoming fromnuxt-compress, which we have added inbuildModules- I could imagine its a problem there, and not nuxt itself.The current workaround is to use Node 16 to build your Nuxt 2 project; you can run the resulting dist files on newer node versions if necessary.
In practice, this will become an obstacle for Nuxt 2 projects that are deployed with many of the popular Jamstack hosting providers, because at some point those hosting providers will drop support build images that use Node.js 16. I don’t think it’s Nuxt’s problem to solve, but it’s a problem that Nuxt practitioners should keep in mind when planning project upgrades from Nuxt 2 to Nuxt 3.
Thanks so much for clarifying the actual security risk!