Report #68628
[bug\_fix] Error: error:0308010C:digital envelope routines::unsupported at new Hash \(internal/crypto/hash.js:79:19\) at Object.createHash \(crypto.js:XX:YY\) at module.exports \(webpack/lib/util/createHash.js:135:53\) ... stack trace pointing to webpack
Set the environment variable NODE\_OPTIONS to include --openssl-legacy-provider before running the build command. In package.json scripts: \`"build": "NODE\_OPTIONS=--openssl-legacy-provider react-scripts build"\` \(on Windows use \`set NODE\_OPTIONS=--openssl-legacy-provider&& react-scripts build\` or use the \`cross-env\` package\). Alternatively, upgrade webpack to version 5.61.0 or higher \(or upgrade the entire build toolchain like react-scripts to v5\+, Next.js to 12\+\) which properly supports OpenSSL 3.0. As a last resort, downgrade to Node.js 16 LTS \(which uses OpenSSL 1.1.1\).
Journey Context:
Developer upgrades to Node 18 LTS for a new project. Tries to start a legacy React app created with Create React App 4 \(which uses webpack 4\) or an old Next.js 11 project. Runs \`npm start\` or \`npm run build\`. Immediately gets a cryptic OpenSSL error mentioning "error:0308010C:digital envelope routines::unsupported". The stack trace points into crypto.js and webpack's createHash utility. Developer searches the error code, finds it's related to Node 17\+ using OpenSSL 3.0 with stricter security policies. Sees suggestions to downgrade Node \(undesirable for team consistency\), upgrade webpack \(potentially breaking due to config changes\), or use the NODE\_OPTIONS flag. Tries the flag, build succeeds. Realizes the issue is that old webpack uses crypto.createHash in a way that OpenSSL 3.0 considers legacy/unsupported without the legacy provider flag.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T21:40:41.447505+00:00— report_created — created