Node.js ERR_OSSL_EVP_UNSUPPORTED Error
Problem Statement
Node.js developers might encounter the ERR_OSSL_EVP_UNSUPPORTED error when running scripts like npm run start. The error typically appears as:
ex.js:59:103 {
opensslErrorStack: ['error:03000086:digital envelope routines::initialization error'],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
Node.js v19.8.1 ERROR: "front" exited with 1.This error indicates Node.js is attempting to use encryption algorithms disabled by default in OpenSSL 3.0 (introduced in Node.js v17+). Common scenarios include:
- Using older dependencies that rely on deprecated cryptographic algorithms
- Running applications on Node.js versions 17+ without configuration adjustments
- Unresolved security updates in dependencies
WARNING
While environment variable workarounds exist, they should be considered temporary solutions. The preferred approach involves dependency updates to address the root cause.
Solution 1: Update Dependencies
The optimal long-term solution is to update dependencies that use legacy encryption standards. Modern versions of popular packages (like react-scripts) have resolved compatibility issues with OpenSSL 3.0.
Step-by-Step Process:
Audit dependencies:
bashnpm audit --include=devFix vulnerabilities:
bashnpm audit fix --force --include=devUpdate specific problematic packages:
bashnpm install react-scripts@latest # Or for specific package updates npm install package-name@latest
TIP
Use --include=dev to audit development dependencies. If your npm version is below 7.20.0, substitute with --dev.
Solution 2: OpenSSL Legacy Provider (Temporary Fix)
For development environments or immediate fixes, enable OpenSSL legacy support with environmental variables before running your script.
OS-Specific Commands:
::: code-group-item Linux/macOS (Terminal)
export NODE_OPTIONS=--openssl-legacy-provider
npm run start::: ::: code-group-item Windows (CMD)
set NODE_OPTIONS=--openssl-legacy-provider && npm run start::: ::: code-group-item Windows (PowerShell)
$env:NODE_OPTIONS="--openssl-legacy-provider"
npm run start:::
DANGER
This workaround reduces security by enabling deprecated cryptographic algorithms. Avoid using it in production environments.
To persist the setting for a session:
- Linux/macOS: Add
export NODE_OPTIONS=--openssl-legacy-providerto your shell profile (.bashrc/.zshrc) - Windows: Set as a system environment variable
Solution 3: Downgrade Node.js (Not Recommended)
While switching to Node.js 16.x or earlier avoids this issue (as these versions predate the OpenSSL 3.0 change), this introduces security risks and compatibility issues with newer packages.
WARNING
Node.js 16 reached end-of-life in September 2023. Use only for temporary debugging—not as a permanent solution.
If absolutely necessary:
nvm install 16.20.2 # Install a Node v16 version
nvm use 16.20.2 # Switch to v16Why These Solutions Work
The ERR_OSSL_EVP_UNSUPPORTED error occurs because:
- Node.js v17+ uses OpenSSL 3.0
- OpenSSL 3.0 disables legacy cryptographic algorithms by default
- Older dependencies use these deprecated algorithms
TIP
To prevent similar issues, audit dependencies frequently:
npm outdated
npm updateThe recommended dependency updates resolve incompatibility at the source. The environment variable workaround reverts OpenSSL to legacy behavior, allowing temporary execution.
Conclusion
| Solution | Recommended For | Security Impact |
|---|---|---|
| Update dependencies | All environments | ✅ Improves security |
NODE_OPTIONS workaround | Temporary development use | ⚠️ Reduces security |
| Node version downgrade | Legacy debugging | ❌ High vulnerability |
Always prioritize updating dependencies to their OpenSSL 3.0-compliant versions. This approach resolves the root cause while maintaining application security. Reserve the legacy provider workaround only while updating dependencies. Monitor your npm audit reports regularly to catch similar issues proactively.