Skip to content

Issue with SlowBuffer.prototype.equal Dependency in Node.js v24.0.0 #1937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 of 4 tasks
miyu4u opened this issue May 7, 2025 · 3 comments
Open
2 of 4 tasks

Issue with SlowBuffer.prototype.equal Dependency in Node.js v24.0.0 #1937

miyu4u opened this issue May 7, 2025 · 3 comments
Labels
bug Something isn't working needs triage

Comments

@miyu4u
Copy link

miyu4u commented May 7, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Node.js v24.0.0 was released on May 6th, 2025.
https://nodejs.org/en/blog/release/v24.0.0

As of this version, the runtime SlowBuffer has been deprecated.
nodejs/node#55175

This patch has broken the entire JWT dependency chain.

Related:
auth0/node-jsonwebtoken#992
nodejs/node#58211

There does not appear to be a solution at this time, so anyone encountering the same issue should continue using Node.js v23.

Library maintainers: once this issue is resolved, please update the dependency and close this issue.

Thank you for your continued hard work and support!

Minimum reproduction code

https://gist.github.com/miyu4u/18c88cdef1b582edece1b9df96ab468b

Steps to reproduce

No response

Expected behavior

build should succeed without errors and work properly.

Package version

11.0.0

NestJS version

^10.0.0

Node.js version

24.0.0

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

No response
@miyu4u miyu4u added bug Something isn't working needs triage labels May 7, 2025
@panva
Copy link

panva commented May 7, 2025

I'm running a number of efforts on different fronts

  1. asking internally to have Replace buffer-equal-constant-time with crypto.timingSafeEqual auth0/node-jwa#52 released (after the requested patch has been applied to it)
  2. revert the removal in node prematurely (Revert "buffer: move SlowBuffer to EOL" nodejs/node#58211) and hopefully get node releasers to get a patch release out
  3. get refactors and new algorithms auth0/node-jsonwebtoken#978 out as a new major to remove the dependency on jws/jwa entirely (amongst other goodies)

@miyu4u
Copy link
Author

miyu4u commented May 7, 2025

I'm running a number of efforts on different fronts

  1. asking internally to have Replace buffer-equal-constant-time with crypto.timingSafeEqual auth0/node-jwa#52 released (after the requested patch has been applied to it)
  2. revert the removal in node prematurely (Revert "buffer: move SlowBuffer to EOL" nodejs/node#58211) and hopefully get node releasers to get a patch release out
  3. get refactors and new algorithms auth0/node-jsonwebtoken#978 out as a new major to remove the dependency on jws/jwa entirely (amongst other goodies)

thanks for contributions as always. this is an issue i found while building the app today, and im using it by temporarily fixing the nodejs version to v23.11.0.

@panva
Copy link

panva commented May 7, 2025
edited
Loading

LTS releases should be the way to go, I don't remember a Node.js major that didn't unintentionally break ;) but hey, without early adopters we wouldn't have known...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @miyu4u