Fix: Error: error:0308010C:digital envelope routines::unsupported

The Error

You run npm start, npm run build, or a webpack command and get:

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:79:19)
    at Object.createHash (node:crypto:139:10)
    at module.exports (/project/node_modules/webpack/lib/util/createHash.js:135:53)

Or the full stack trace ending with:

opensslErrorStack: [
  'error:03000086:digital envelope routines::initialization error'
],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'

Or variations:

Error: error:0308010C:digital envelope routines::unsupported
    at Hash.update (node:internal/crypto/hash:...)

Node.js 17+ uses OpenSSL 3.0, which removed support for the MD4 hash algorithm that older versions of webpack (and other tools) use internally. The tool tries to create an MD4 hash, OpenSSL 3.0 refuses, and the build crashes.

Why This Happens

Node.js 17 (October 2021) upgraded from OpenSSL 1.1 to OpenSSL 3.0. OpenSSL 3.0 deprecated several older cryptographic algorithms, including MD4, which webpack 4 and some older tools use for generating module hashes.

This affects:

• webpack 4 (and tools built on it: Create React App 4, Vue CLI 4, Angular CLI <15)
• Some older PostCSS plugins
• Older versions of css-minimizer-webpack-plugin
• Any tool that calls crypto.createHash('md4')

You hit this error when:

1. You upgrade Node.js to 17, 18, 19, 20, 21, or 22.
2. Your project still uses webpack 4 or an older build tool.
3. The tool calls an unsupported hash algorithm.

Fix 1: Upgrade webpack to v5

The best long-term fix. webpack 5 uses a supported hash algorithm by default:

npm install webpack@5 webpack-cli@5 --save-dev

For Create React App — upgrade to v5:

npx react-scripts@latest start

Or migrate to a new project:

npx create-react-app my-app

For Vue CLI — upgrade or migrate to Vite:

# Upgrade Vue CLI
npm install @vue/cli-service@latest --save-dev

# Or migrate to Vite (recommended)
npm create vue@latest

For Angular CLI:

ng update @angular/cli @angular/core

Angular 15+ uses webpack 5 internally and does not have this issue.

Pro Tip: If your project is on webpack 4, migrating to webpack 5 fixes this error and brings significant performance improvements (persistent caching, tree shaking improvements, module federation). The migration guide is at https://webpack.js.org/migrate/5/.

Fix 2: Use the NODE_OPTIONS Environment Variable

The quickest fix. Tell Node.js to allow the legacy OpenSSL provider:

Linux/macOS:

export NODE_OPTIONS=--openssl-legacy-provider
npm start

Windows (Command Prompt):

set NODE_OPTIONS=--openssl-legacy-provider
npm start

Windows (PowerShell):

$env:NODE_OPTIONS = "--openssl-legacy-provider"
npm start

Add it to your package.json scripts:

{
  "scripts": {
    "start": "react-scripts start",
    "start:legacy": "NODE_OPTIONS=--openssl-legacy-provider react-scripts start",
    "build": "react-scripts build",
    "build:legacy": "NODE_OPTIONS=--openssl-legacy-provider react-scripts build"
  }
}

Cross-platform using cross-env:

npm install cross-env --save-dev

{
  "scripts": {
    "start": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts start",
    "build": "cross-env NODE_OPTIONS=--openssl-legacy-provider react-scripts build"
  }
}

Common Mistake: Relying on --openssl-legacy-provider as a permanent solution. This flag re-enables deprecated cryptographic algorithms, which may have security implications. Use it as a temporary workaround while planning an upgrade to webpack 5 or a modern build tool.

Fix 3: Downgrade Node.js

If you cannot upgrade your build tools, use a Node.js version that supports the old algorithms:

# Using nvm (Node Version Manager)
nvm install 16
nvm use 16

# Using fnm
fnm install 16
fnm use 16

# Using volta
volta install node@16

Node.js 16 LTS is the last version that uses OpenSSL 1.1 by default.

Note: Node.js 16 reached end-of-life in September 2023. Running it in production has security risks. Use this as a temporary measure only.

Use .nvmrc to pin the version for the project:

echo "16" > .nvmrc

Then team members run nvm use to switch to the correct version.

Fix 4: Configure webpack to Use a Different Hash

If you are on webpack 4 and cannot upgrade yet, configure the hash function:

// webpack.config.js
const crypto = require("crypto");

// Use SHA-256 instead of MD4
const cryptoOrigCreateHash = crypto.createHash;
crypto.createHash = (algorithm) =>
  cryptoOrigCreateHash(algorithm === "md4" ? "sha256" : algorithm);

module.exports = {
  // ... your webpack config
};

For webpack 5 (if still seeing this error):

// webpack.config.js
module.exports = {
  output: {
    hashFunction: "xxhash64",  // Default in webpack 5.54+
  },
};

For older webpack 5:

module.exports = {
  output: {
    hashFunction: "sha256",
  },
};

Fix 5: Fix Create React App (CRA)

CRA 4 uses webpack 4 internally. You have several options:

Option 1: Upgrade to CRA 5:

npm install react-scripts@5 --save

Check for breaking changes in your project after upgrading.

Option 2: Use the legacy provider:

{
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build"
  }
}

Create a .env file:

NODE_OPTIONS=--openssl-legacy-provider

Option 3: Migrate away from CRA:

CRA is no longer actively maintained. Consider migrating to:

• Vite — npm create vite@latest my-app -- --template react
• Next.js — npx create-next-app@latest
• Remix — npx create-remix@latest

These tools use modern build pipelines (esbuild or SWC) and do not have the OpenSSL issue.

Fix 6: Fix for Specific Frameworks

Angular (older versions):

{
  "scripts": {
    "start": "ng serve",
    "start:legacy": "NODE_OPTIONS=--openssl-legacy-provider ng serve"
  }
}

Upgrade to Angular 15+ to permanently fix the issue.

Gatsby:

npm install gatsby@latest

Gatsby 4+ uses webpack 5.

Storybook:

npx storybook@latest upgrade

Storybook 7+ uses webpack 5 by default.

Nuxt 2:

{
  "scripts": {
    "dev": "NODE_OPTIONS=--openssl-legacy-provider nuxt"
  }
}

Or upgrade to Nuxt 3, which uses Vite.

Fix 7: Fix in Docker

If your Docker build fails with this error:

# Wrong — uses latest Node.js (which has OpenSSL 3.0)
FROM node:22

# Fix Option 1: Use Node.js 16
FROM node:16

# Fix Option 2: Set the environment variable
FROM node:22
ENV NODE_OPTIONS=--openssl-legacy-provider

Better fix — use a multi-stage build with the right Node version:

FROM node:22 AS build
ENV NODE_OPTIONS=--openssl-legacy-provider
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM nginx:alpine
COPY --from=build /app/dist /usr/share/nginx/html

Fix 8: Fix in CI/CD

GitHub Actions:

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      NODE_OPTIONS: --openssl-legacy-provider
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - run: npm run build

Or pin to Node.js 16:

- uses: actions/setup-node@v4
  with:
    node-version: 16

For GitHub Actions permission errors, see Fix: GitHub Actions permission denied.

Still Not Working?

Check for PostCSS plugins. Some older PostCSS plugins use MD4 directly. Update them:

npm update postcss postcss-loader css-loader

Check for mini-css-extract-plugin:

npm install mini-css-extract-plugin@latest --save-dev

Check for sass-loader issues:

npm install sass-loader@latest sass --save-dev

Audit your dependencies for the problematic call:

grep -r "createHash" node_modules --include="*.js" | grep "md4"

This shows which packages call createHash('md4'). Update or replace those packages.

Check if the error is from a test runner. Jest, Mocha, and other test runners might also trigger this if they use webpack transforms:

{
  "scripts": {
    "test": "NODE_OPTIONS=--openssl-legacy-provider jest"
  }
}

For webpack module resolution errors, see Fix: Module not found: Can’t resolve. For JavaScript heap memory issues during builds, see Fix: JavaScript heap out of memory.