Buffer is not defined

[Borvik]

We are currently using crypto-browserify as a fallback for crypto.

We just started getting "Buffer is not defined" and I tracked that back to the new version of pbkdf2 (3.1.3) released 5 days ago.

Specifically the change for:

[Fix] pin create-hash, ripemd160 due to breaking changes

Previously create-hash was ^1.1.2 which allowed version 1.2.0 to be pulled and used. Now with ~1.1.3 it forced a backwards change in version for create-hash.

This caused it to use the old version of the make-hash function which does not use safe-buffer or md5.js.

[mohamadjatu]

Thanks for addressing this important security fix. I wanted to share an issue I ran into after upgrading to [email protected].

I'm currently using [email protected] as a fallback for the Node.js crypto module in both my Webpack and Rspack configurations. After upgrading pbkdf2 to 3.1.3, my application started throwing runtime errors due to unsupported or misformatted hash algorithm names — something that worked silently before now fails explicitly, as expected per the fix.

What is the resolution for this?

[jtarvainen]

Not sure if related, but after updating to [email protected], my application crashes upon startup because the newly added to-bufferdependency is missing. Interestingly, when I run npm install, the dependency is added to package-lock.json, but with npm update -S, it isn't. I've never encountered anything like this before so wanted to mention it here.

[leeyongl5263]

I am also experiencing the same issue. Could not find the resolution so far. Is there any way to avoid this? only downgrade?

[ljharb]

Why would Buffer ever not be defined?

A working node module bundler provides every node global and core module as needed, which includes Buffer. I'd suggest filing an issue on your broken bundler.