What's happeningYou ran your build or started your dev server and got hit with this:
Error: error:0308010C:digital envelope routines::unsupported
at new Hash (node:internal/crypto/hash:67:19)
at Object.createHash (node:crypto:130:10)
...
ERR_OSSL_EVP_UNSUPPORTED
Node.js 17+ ships with OpenSSL 3. The problem? Your project still relies on older tooling โ webpack 4, react-scripts v4, or any package that calls cryptographic APIs that OpenSSL 3 dropped. Your code didn't change. The runtime did.
Specifically, OpenSSL 3 removed support for MD4-based hashing โ exactly what webpack 4 used internally for generating chunk hashes. That's the whole conflict in a nutshell.
Confirming the environmentRun these two commands first:
node -v
openssl version
Node.js 17+ paired with OpenSSL 3.x is your culprit. The stack trace is another giveaway โ it almost always points to node:internal/crypto/hash or a webpack module buried a few frames deep.
Solutions### Option 1: Set NODE_OPTIONS (quick fix, good for CI/local dev)One environment variable is all you need to unblock yourself right now:
# Linux / macOS
export NODE_OPTIONS=--openssl-legacy-provider
npm start
# Windows (Command Prompt)
set NODE_OPTIONS=--openssl-legacy-provider
npm start
# Windows (PowerShell)
$env:NODE_OPTIONS="--openssl-legacy-provider"
npm start
Tired of setting it every session? Bake it into package.json so the whole team gets it automatically:
{
"scripts": {
"start": "NODE_OPTIONS=--openssl-legacy-provider react-scripts start",
"build": "NODE_OPTIONS=--openssl-legacy-provider react-scripts build"
}
}
Fair warning: this re-enables deprecated behavior. It works, but it's a bridge โ not a destination. Schedule time to move past it.
Option 2: Upgrade react-scripts (for Create React App projects)Still on react-scripts v4? Version 5 switched to webpack 5 and handles OpenSSL 3 without any workarounds:
npm install react-scripts@latest
Drop the NODE_OPTIONS hack after upgrading and run a full build to confirm. react-scripts 5 works with Node.js 18+ out of the box โ no flags needed.
Option 3: Upgrade webpack (for custom webpack setups)Managing webpack yourself? Jump from v4 to v5:
npm install webpack@latest webpack-cli@latest
webpack 5 generates chunk hashes using a different algorithm that's fully compatible with OpenSSL 3. There are breaking changes in the upgrade though โ skim the official migration guide before going in blind.
Option 4: Downgrade Node.js (last resort)Can't touch dependencies right now? Pin to Node.js 16, which ships with OpenSSL 1.1.1:
# Using nvm
nvm install 16
nvm use 16
# Set as default
nvm alias default 16
Commit a .nvmrc file so everyone on the team lands on the same version:
echo "16" > .nvmrc
One catch: Node.js 16 hit end-of-life in September 2023. This buys you time โ not a long-term home.
Verifying the fixRun your build or dev server:
npm start
# or
npm run build
No ERR_OSSL_EVP_UNSUPPORTED in the output? You're done. If you're on CI, double-check that the environment variable is actually set there too โ it's the most common place the fix gets missed.
Want to test Node's crypto directly? Try this one-liner:
node -e "require('crypto').createHash('md4').update('test').digest('hex')"
On Node.js 17+ without the legacy flag, that throws. With --openssl-legacy-provider, it runs clean. On a fully upgraded stack (webpack 5 + Node 18+), you won't need md4 at all โ the issue just disappears.
Which fix to pick- Short-term / CI fix: Set NODE_OPTIONS=--openssl-legacy-provider- CRA projects: Upgrade to react-scripts@5- Custom webpack: Upgrade to webpack 5- Can't touch dependencies: Pin Node.js to v16 temporarily## How to avoid this next timeThis error ambushes teams when someone upgrades Node.js globally โ or CI silently bumps its runner image โ without checking whether the build tooling can keep up. Three habits that prevent it:
- Pin your Node.js version in
.nvmrcand in theenginesfield ofpackage.json. If the version isn't explicit, it's a surprise waiting to happen.- Before bumping a Node.js major version, verify that your build tools have a compatible release. A five-minute check beats a broken pipeline.- If you're still using--openssl-legacy-providerpast 2024, put upgrading your build tooling on the backlog. The flag isn't going away tomorrow, but it signals unfinished business.