Skip to content

Replace buffer-equal-constant-time with crypto.timingSafeEqual#52

Merged
panva merged 2 commits intoauth0:masterfrom
Tango992:omit-buffer-equal-constant-time-dependency
May 7, 2025
Merged

Replace buffer-equal-constant-time with crypto.timingSafeEqual#52
panva merged 2 commits intoauth0:masterfrom
Tango992:omit-buffer-equal-constant-time-dependency

Conversation

@Tango992
Copy link
Copy Markdown
Contributor

@Tango992 Tango992 commented May 7, 2025
edited
Loading

buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This pull request addresses a compatibility issue with Node 24 by replacing the buffer-equal-constant-time package with the native crypto.timingSafeEqual method. buffer-equal-constant-time relies on SlowBuffer and has been removed on Node 24, causing this library to crash.

References

Fixes:

Testing

This PR doesn't change the code behavior and passed all tests.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@Tango992
refactor: replace buffer-equal-constant-time with crypto.timingSafeEqual
421a509 
buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24
@panva
Copy link
Copy Markdown
Member

panva commented May 7, 2025

Both runtime-deprecation and EOL of said Node.js API happened in the same major, that shouldn't have happened. nodejs/node#58211

@micksatana micksatana mentioned this pull request May 7, 2025
Merged
@panva
Copy link
Copy Markdown
Member

panva commented May 7, 2025
edited
Loading

@Tango992 can you apply this patch to your PR please? 0001-refactor-replace-buffer-equal-constant-time-with-cry.patch

Edit: gist

@panva panva mentioned this pull request May 7, 2025
Closed
4 tasks
@Tango992 @panva
refactor: falls back to buffer-equal-constant-time for older Node v…
7089f8b 
…ersions where `timingSafeEqual` is not available.

Co-authored-by: Filip Skokan <panva.ip@gmail.com>
@panva
Copy link
Copy Markdown
Member

panva commented May 7, 2025

I've flagged and raised this internally to address.

This was referenced May 7, 2025
Open
Open
panva added a commit that referenced this pull request May 7, 2025
@panva
refactor: replace buffer-equal-constant-time with crypto.timingSafeEq…
10c53c2 
…ual when available

Closes #52

Co-authored-by: Tango992
@panva panva mentioned this pull request May 7, 2025
Closed
@panva panva merged commit b8fef1e into auth0:master May 7, 2025
@Tango992 Tango992 deleted the omit-buffer-equal-constant-time-dependency branch May 7, 2025 11:29
panva added a commit that referenced this pull request May 7, 2025
@Tango992 @panva
Replace buffer-equal-constant-time with crypto.timingSafeEqual (#52)
4336d03 
* refactor: replace buffer-equal-constant-time with crypto.timingSafeEqual

buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24

* refactor: falls back to `buffer-equal-constant-time` for older Node versions where `timingSafeEqual` is not available.

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

---------

Co-authored-by: Filip Skokan <panva.ip@gmail.com>
@panva
Copy link
Copy Markdown
Member

panva commented May 7, 2025
edited
Loading

We've released patched versions of the jwa module with these changes. These releases take care of not using the deprecated code when crypto.timingSafeEqual() is available (while still using it when run in legacy codebase with EOL Node.js versions where it wasn't available).

Running npm upgrade jwa (or whichever package manager alternative you happen to use) will pick those patched versions up and fix the issue for you.

@panva
Copy link
Copy Markdown
Member

panva commented May 7, 2025

@Tango992 thank you

@Tango992
Copy link
Copy Markdown
Contributor Author

Tango992 commented May 7, 2025

Awesome! Thank you as well @panva

@torokati44 torokati44 mentioned this pull request May 7, 2025
Merged
serhalp added a commit to netlify/cli that referenced this pull request May 7, 2025
@serhalp
fix(deps): upgrade verdaccio + jswonwebtoken
d22c2fe 
This fixes a fatal error on the just-released node 24 coming from this transitive
dependency: auth0/node-jwa#52.
@serhalp serhalp mentioned this pull request May 7, 2025
Closed
1 task
@hoeck hoeck mentioned this pull request May 16, 2025
Merged
1 task
@juanpicado juanpicado mentioned this pull request Nov 23, 2025
Merged
@mbtools mbtools mentioned this pull request Dec 12, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@panva panva panva approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tango992 @panva