This cryptographic error occurs when using Node.js v17+ with Vite, caused by OpenSSL 3.0 dropping support for legacy hash algorithms like MD4 that older build tools depend on.
This error appears when Vite attempts to load its configuration file but encounters a cryptographic operation that's no longer supported in modern Node.js versions. Starting with Node.js v17, the runtime switched to OpenSSL 3.0, which removed several legacy cryptographic algorithms including MD4 hashing. The error code "0308010C" specifically indicates that a digital envelope routine (used for encryption/decryption operations) attempted to use an unsupported algorithm. Vite's dependency chain—particularly older versions of webpack or esbuild—may rely on these legacy algorithms for generating build hashes and other cryptographic operations. This is fundamentally a Node.js compatibility issue rather than a Vite bug. The error surfaces during config loading because that's when Vite first invokes these cryptographic operations to process and bundle your configuration file.
Set the NODE_OPTIONS environment variable to use the legacy OpenSSL provider:
Linux/macOS:
export NODE_OPTIONS=--openssl-legacy-provider
npm run devWindows (Command Prompt):
set NODE_OPTIONS=--openssl-legacy-provider
npm run devWindows (PowerShell):
$env:NODE_OPTIONS="--openssl-legacy-provider"
npm run devPermanent solution in package.json:
{
"scripts": {
"dev": "NODE_OPTIONS=--openssl-legacy-provider vite",
"build": "NODE_OPTIONS=--openssl-legacy-provider vite build"
}
}For cross-platform compatibility, use the cross-env package:
npm install --save-dev cross-env{
"scripts": {
"dev": "cross-env NODE_OPTIONS=--openssl-legacy-provider vite",
"build": "cross-env NODE_OPTIONS=--openssl-legacy-provider vite build"
}
}This re-enables the legacy algorithms that were removed in OpenSSL 3.0.
If you're on Node.js v17 or v18, upgrade to the latest LTS version (Node.js 20+):
# Check current version
node --version
# Using nvm (recommended)
nvm install --lts
nvm use --lts
# Or download from nodejs.org
# https://nodejs.org/Newer Node.js versions include better compatibility handling and updated build tools have adapted to OpenSSL 3.0 changes.
After upgrading, clean install dependencies:
rm -rf node_modules package-lock.json
npm installUpgrade Vite and related build tools to versions that support Node.js v17+:
# Update Vite to latest version
npm install vite@latest --save-dev
# Update all build-related dependencies
npm update esbuild webpack @vitejs/plugin-reactCheck your package.json for minimum recommended versions:
- Vite 3.0.0+ (better yet, 4.0.0+)
- esbuild 0.15.0+
- webpack 5.0.0+ (if used)
After updating:
rm -rf node_modules package-lock.json
npm install
npm run devEnsure your vite.config.ts uses proper ESM syntax and TypeScript configuration:
// vite.config.ts
import { defineConfig } from 'vite';
import react from '@vitejs/plugin-react';
export default defineConfig({
plugins: [react()],
});Check package.json has proper module configuration:
{
"type": "module"
}If not using "type": "module", rename to vite.config.mts:
mv vite.config.ts vite.config.mtsThe .mts extension explicitly marks the file as an ES module.
If you need an immediate fix and can't update dependencies, downgrade to Node.js v16:
# Using nvm
nvm install 16
nvm use 16
# Verify version
node --version # Should show v16.x.x
# Clean install
rm -rf node_modules package-lock.json
npm installWarning: Node.js v16 reached end-of-life in September 2023. This is only a temporary solution while you plan to update your dependencies. Do not use this approach for production deployments.
Understanding OpenSSL 3.0 Changes:
Node.js v17 introduced OpenSSL 3.0, which removed several legacy cryptographic algorithms deemed insecure, including MD4, MD5 (in some contexts), and others. This was a security-focused decision, but it broke backward compatibility with build tools that relied on these algorithms for non-security-critical operations like generating content hashes.
Why --openssl-legacy-provider works:
This flag tells Node.js to load the legacy provider from OpenSSL 3.0, which includes the removed algorithms. While this sounds concerning from a security perspective, these algorithms are only used for build-time operations (file hashing, cache keys) and not for actual cryptographic security in your application. Your production code's security is unaffected.
Production considerations:
If deploying to environments where you control the Node.js version (Docker, serverless functions), ensure your package.json specifies an engine requirement:
{
"engines": {
"node": ">=20.0.0"
}
}Alternative: Use a different bundler:
If Vite continues causing issues, consider alternatives like Turbopack, Rspack, or updating to frameworks with built-in bundlers (Next.js 13+, Remix) that handle these compatibility issues transparently.
CI/CD pipelines:
In GitHub Actions, specify Node.js version explicitly:
- uses: actions/setup-node@v4
with:
node-version: '20'For Docker builds:
FROM node:20-alpine
ENV NODE_OPTIONS=--openssl-legacy-providerProp spreading could cause security issues
Prop spreading could cause security issues
Error: error:0308010C:digital envelope routines::unsupported
Error: error:0308010C:digital envelope routines::unsupported
React Hook "useEffect" is called conditionally. React Hooks must be called in the exact same order in every component render.
React Hook useEffect placed inside a condition
Hook can only be called inside the body of a function component
Hook can only be called inside the body of a function component
Rollup failed to resolve import during build
How to fix "Rollup failed to resolve import" in React