Problem using yarn to start a react application [duplicate]

Question

I created the default IntelliJ IDEA React project and got this:

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/Users/user/Programming Documents/WebServer/untitled/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/Users/user/Programming Documents/WebServer/untitled/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/Users/user/Programming Documents/WebServer/untitled/node_modules/webpack/lib/NormalModule.js:471:10)
    at /Users/user/Programming Documents/WebServer/untitled/node_modules/webpack/lib/NormalModule.js:503:5
    at /Users/user/Programming Documents/WebServer/untitled/node_modules/webpack/lib/NormalModule.js:358:12
    at /Users/user/Programming Documents/WebServer/untitled/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/Users/user/Programming Documents/WebServer/untitled/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/Users/user/Programming Documents/WebServer/untitled/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
/Users/user/Programming Documents/WebServer/untitled/node_modules/react-scripts/scripts/start.js:19
  throw err;
  ^

It seems to be a recent issue - webpack ran into this 4 days ago and is still working on it.

Answer 1

The error comes from your dependency relying on an obsolete version of SSL, so you have two good, and two questionable-at-best options:

1. Try to just reinstall your dependency

• Delete your node_modules folder and rerun npm install. If your dependency relies on compiling against whatever version of Node you have installed, this may immediately fix the problem. This is the least likely solution to work, but may fix the problem without any "real" work on your part so is always worth trying.

2. Update your dependency

• Almost all dependencies with this problem have a newer version available that you can install instead. Find out which version of your dependency corresponds to after Node 18 became the LTS version of Node, band uplift your dependency to that version.

This is, really, the only proper solution: update your dependencies, because just like Node.js itself, they can leave your project vulnerable to attacks and exploits.

3. Downgrade to Node.js v16.

• You can downgrade Node itself so that you're using a version that uses the old, insecure, version of LibSSL. That doesn't "solve" the problem of running insecure and potentially exploitable code, of course, but your code will at least run.

(You can either do that using the official Node installers, or you can use something like nvm. For Windows, use nvm-windows.)

This is, obviously, a bad idea. As is the next one:

4. Tell Node to use the legacy OpenSSL provider

On Unix-like (Linux, macOS, Git bash, etc.):

export NODE_OPTIONS=--openssl-legacy-provider

On Windows command prompt:

set NODE_OPTIONS=--openssl-legacy-provider

On PowerShell:

$env:NODE_OPTIONS = "--openssl-legacy-provider"

When Node 18 had just become the active LTS options 1 and 2 weren't really available, but for anyone still finding this answer, 3 and 4 should no longer be considered serious options in any way.

Answer 2

Danger

This question has more than 30 answers, most suggesting to either downgrade Node.js to pre v17 or to use the legacy SSL provider. Both of those solutions are hacks that leave your builds open to security threats.

Reason For The Error

In Node.js v17, the Node.js developers closed a security hole in the SSL provider. This fix was a breaking change that corresponded with similar breaking changes in the SSL packages in NPM. When you attempt to use SSL in Node.js v17 or later without also upgrading those SSL packages in your package.json, then you will see this error.

The Correct (safe) Solution (for npm users)

Use an up-to-date version of Node.js, and also use packages that are up-to-date with security fixes.

You can first try an update to see if that solves the problem:

npm update

If that is not enough, for many people, the following command will fix the issue:

npm audit fix --force

However, be aware that, for complex builds, the above command will pull in breaking security fixes that can potentially break your build.

Note for Yarn users

Yarn users can use yarn-audit-fix which can be run without installing as a dependency via

npm_config_yes=true npx yarn-audit-fix

or windows powershell:

$env:npm_config_yes = 1; npx yarn-audit-fix

A less heavy-handed (also correct) solution for Webpack

In your Webpack config, set either of the following: (See the ouput.hashFunction docs)

A. (Webpack v5) Set output.hashFunction = 'xxhash64'.
B. (Webpack v4) This will depend on what hash algorithms nodejs supports on your system. Some common options you can try are output.hashFunction = 'sha512' or output.hashFunction = 'sha256'.

See more info in Greg's answer.