Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

npm --force vs --legacy-peer-deps

ERR_PACKAGE_PATH_NOT_EXPORTED Error: Solutions and Causes

Resolving "Unknown file extension .ts" Error in Node.js

npm ERR! cb.apply is not a function - Solutions

Node Sass Environment Compatibility Error on Windows

NODE_OPTIONS Error: Fixing "--openssl-legacy-provider is not allowed"

Problem Overview

The error "node: --openssl-legacy-provider is not allowed in NODE_OPTIONS" occurs when Node.js encounters the --openssl-legacy-provider flag in the NODE_OPTIONS environment variable, but the current Node.js version doesn't permit this configuration. This commonly happens after system updates, Node.js version changes, or when working with older projects that require legacy OpenSSL support.

The issue typically manifests when:

  • Running npm start or other npm scripts
  • Executing Node.js commands directly
  • Working with React, Angular, React Native, or Vue.js projects
  • Using older toolchains or dependencies that require legacy cryptographic functions

Root Cause

This error stems from changes in Node.js's OpenSSL implementation. Newer Node.js versions (particularly v17+) have stricter security policies and restrict the use of legacy OpenSSL providers through NODE_OPTIONS for security reasons.

The conflict arises when:

  1. NODE_OPTIONS environment variable contains --openssl-legacy-provider
  2. Projects or system configurations explicitly set this flag
  3. The flag exists in npm scripts within package.json
  4. The flag is configured in .npmrc files

Solutions

1. Clear the NODE_OPTIONS Environment Variable

The most direct solution is to unset the NODE_OPTIONS environment variable:

bash
unset NODE_OPTIONS
powershell
$env:NODE_OPTIONS = ""
cmd
set NODE_OPTIONS=

This approach works when the variable was set temporarily in your current session.

TIP

To make this change permanent, remove any export NODE_OPTIONS=--openssl-legacy-provider lines from your shell configuration files (.bashrc, .zshrc, .profile, etc.).

2. Update Package.json Scripts

If the flag is hardcoded in your package.json scripts, modify them to remove the explicit --openssl-legacy-provider flag:

json
{
  "scripts": {
    // Before (problematic):
    "start": "cross-env PORT=10888 HTTPS=false react-scripts start --openssl-legacy-provider",
    
    // After (fixed):
    "start": "cross-env PORT=10888 HTTPS=false react-scripts start"
  }
}

3. Configure Project-Specific Settings via .npmrc

For projects that genuinely need the legacy provider, configure it project-specificly through .npmrc:

ini
# Create or edit .npmrc in your project root
node-options="--openssl-legacy-provider"

WARNING

Using the legacy provider reduces security. Only use this approach if absolutely necessary and update your dependencies to support modern crypto standards as soon as possible.

4. Use Appropriate Node.js Version

Ensure you're using a Node.js version compatible with your project:

bash
# Check current version
node -v

# Use nvm to switch versions
nvm install 18  # For newer projects
nvm install 16  # For better legacy compatibility
nvm use 18      # Switch to specific version

INFO

Node.js 16.x LTS often provides better compatibility with legacy projects while maintaining security updates.

5. System-Wide Configuration (Advanced)

On Linux systems, you can enable legacy provider support system-wide by editing OpenSSL configuration:

bash
# Edit OpenSSL configuration (location may vary by distribution)
sudo nano /etc/ssl/openssl.cnf

Uncomment or add the legacy provider section:

ini
[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

DANGER

Modifying system-wide OpenSSL configuration affects all applications and may introduce security vulnerabilities. Use this approach only as a last resort.

Prevention and Best Practices

  1. Keep dependencies updated: Regularly update your project dependencies to avoid relying on legacy cryptographic functions.

  2. Use Node Version Manager: Utilize nvm to manage multiple Node.js versions for different projects.

  3. Environment variable hygiene: Avoid setting NODE_OPTIONS globally; use project-specific configuration when needed.

  4. Document project requirements: Include Node.js version requirements in package.json or documentation:

json
{
  "engines": {
    "node": ">=16.0.0"
  }
}

Troubleshooting Steps

If you continue experiencing issues:

  1. Check current environment variables:

    bash
    # Unix/Linux/macOS
printenv | grep NODE_OPTIONS

# Windows
set | findstr NODE_OPTIONS

  2. Verify Node.js and npm versions:

    bash
    node -v
npm -v

  3. Check for conflicting configurations in:

    • Project .npmrc
    • User .npmrc (~/.npmrc)
    • Global npm config (npm config list)

  4. Examine shell configuration files for NODE_OPTIONS exports

When to Use Legacy Provider

The --openssl-legacy-provider flag should only be used temporarily when:

  • Maintaining legacy projects that cannot be immediately updated
  • Working with dependencies that haven't been updated for modern OpenSSL
  • During migration periods while updating cryptographic implementations

Always prioritize updating your codebase to use modern, secure cryptographic standards rather than relying on legacy providers long-term.

Example of complete migration process
bash
# 1. Identify which dependencies need legacy provider
npm list | grep -i ssl

# 2. Update dependencies one by one
npm update package-name

# 3. Remove legacy provider from configuration
# 4. Test thoroughly after each change

By following these solutions and best practices, you can resolve the NODE_OPTIONS error while maintaining a secure and maintainable development environment.