Skip to content

Replace buffer-equal-constant-time with crypto.timingSafeEqual #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 7, 2025
Merged

Replace buffer-equal-constant-time with crypto.timingSafeEqual #52

merged 2 commits into from
May 7, 2025

Conversation

Tango992
Copy link
Contributor

@Tango992 Tango992 commented May 7, 2025
edited
Loading

buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This pull request addresses a compatibility issue with Node 24 by replacing the buffer-equal-constant-time package with the native crypto.timingSafeEqual method. buffer-equal-constant-time relies on SlowBuffer and has been removed on Node 24, causing this library to crash.

References

Fixes:

Testing

This PR doesn't change the code behavior and passed all tests.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@Tango992
refactor: replace buffer-equal-constant-time with crypto.timingSafeEqual
421a509 
buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24
@kangkangovo2333
Copy link

@Tango992 @brianloveswords @jepezi @tanepiper @shane-tomlinson

@panva
Copy link
Member

panva commented May 7, 2025

Both runtime-deprecation and EOL of said Node.js API happened in the same major, that shouldn't have happened. nodejs/node#58211

@micksatana micksatana mentioned this pull request May 7, 2025
Merged
@panva
Copy link
Member

panva commented May 7, 2025
edited
Loading

@Tango992 can you apply this patch to your PR please? 0001-refactor-replace-buffer-equal-constant-time-with-cry.patch

Edit: gist

@panva panva mentioned this pull request May 7, 2025
Closed
4 tasks
@Tango992 @panva
refactor: falls back to buffer-equal-constant-time for older Node v…
7089f8b 
…ersions where `timingSafeEqual` is not available.

Co-authored-by: Filip Skokan <[email protected]>
@panva
Copy link
Member

panva commented May 7, 2025

I've flagged and raised this internally to address.

This was referenced May 7, 2025
Open
Open
panva added a commit that referenced this pull request May 7, 2025
@panva
refactor: replace buffer-equal-constant-time with crypto.timingSafeEq…
10c53c2 
…ual when available

Closes #52

Co-authored-by: Tango992
@panva panva mentioned this pull request May 7, 2025
Closed
@panva panva merged commit b8fef1e into auth0:master May 7, 2025
@kangkangovo2333
Copy link

How long does it take for a version update?

@Tango992 Tango992 deleted the omit-buffer-equal-constant-time-dependency branch May 7, 2025 11:29
panva added a commit that referenced this pull request May 7, 2025
@Tango992 @panva
Replace buffer-equal-constant-time with crypto.timingSafeEqual (#52)
4336d03 
* refactor: replace buffer-equal-constant-time with crypto.timingSafeEqual

buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24

* refactor: falls back to `buffer-equal-constant-time` for older Node versions where `timingSafeEqual` is not available.

Co-authored-by: Filip Skokan <[email protected]>

---------

Co-authored-by: Filip Skokan <[email protected]>
@panva
Copy link
Member

panva commented May 7, 2025
edited
Loading

We've released patched versions of the jwa module with these changes. These releases take care of not using the deprecated code when crypto.timingSafeEqual() is available (while still using it when run in legacy codebase with EOL Node.js versions where it wasn't available).

Running npm upgrade jwa (or whichever package manager alternative you happen to use) will pick those patched versions up and fix the issue for you.

@panva
Copy link
Member

panva commented May 7, 2025

@Tango992 thank you

@Tango992
Copy link
Contributor Author

Tango992 commented May 7, 2025

Awesome! Thank you as well @panva

@torokati44 torokati44 mentioned this pull request May 7, 2025
Merged
serhalp added a commit to netlify/cli that referenced this pull request May 7, 2025
@serhalp
fix(deps): upgrade verdaccio + jswonwebtoken
d22c2fe 
This fixes a fatal error on the just-released node 24 coming from this transitive
dependency: auth0/node-jwa#52.
@serhalp serhalp mentioned this pull request May 7, 2025
Draft
1 task
@hoeck hoeck mentioned this pull request May 16, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panva panva panva approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Tango992 @kangkangovo2333 @panva