DeprecationWarning: Buffer() is deprecated due to security and usability issues when I move my script to another server

Question

Getting error when script move to other server.

(node:15707) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Current Versions:

Ubuntu 16.04.4 LTS  
Node - v10.9.0  
NPM - 6.2.0

Previous Version:

Ubuntu 14.04.3 LTS
NPM - 3.10.10
Node - v6.10.3

exports.basicAuthentication = function (req, res, next) {
    console.log("basicAuthentication");
    if (!req.headers.authorization) {
        return res.status(401).send({
            message: "Unauthorised access"
        });
    }
    var auth = req.headers.authorization;
    var baseAuth = auth.replace("Basic", "");
    baseAuth = baseAuth.trim();
    var userPasswordString = new Buffer(baseAuth, 'base64').toString('ascii');
    var credentials = userPasswordString.split(':');

    var username = credentials[0] !== undefined ? credentials[0] : '';
    var password = credentials[1] !== undefined ? credentials[1] : '';
    var userQuery = {mobilenumber: username, otp: password};
    console.log(userQuery);
    User.findOne(userQuery).exec(function (err, userinfo) {
        if (err || !userinfo) {
             return res.status(401).send({
                message: "Unauthorised access"
             });
        } else {
            req.user = userinfo;
            next();
        }
    });

 }

Did you check this thread? https://github.com/yarnpkg/yarn/issues/5770 — Hemadri Dasari, Sep 04 '18 at 11:40
This is not an error, it is a warning that this method of creating a buffer is deprecated: https://nodejs.org/api/buffer.html#buffer_new_buffer_string_encoding — stdob--, Sep 04 '18 at 11:45
dude never said he used yarn, he is using npm. I have this right now and it just started and I am also not using yarn or a buffer — daddycardona, Oct 22 '21 at 00:12

score 542 · Accepted Answer · answered Sep 10 '18 at 12:05

542

new Buffer(number)            // Old
Buffer.alloc(number)          // New

new Buffer(string)            // Old
Buffer.from(string)           // New

new Buffer(string, encoding)  // Old
Buffer.from(string, encoding) // New

new Buffer(...arguments)      // Old
Buffer.from(...arguments)     // New

Note that Buffer.alloc() is also faster on the current Node.js versions than new Buffer(size).fill(0), which is what you would otherwise need to ensure zero-filling.

answered Sep 10 '18 at 12:05

Nebojsa Sapic

8,245
1
20
22

12

what if I don't have any new Buffer() in my code? I just have it in package-lock.json? – Khaled Jamal Jul 17 '19 at 16:37
@KhaledJamal what exactly you have in package-lock.json? – Nebojsa Sapic Jul 18 '19 at 13:33
4

@NebojsaSapic after tracing the issue I figured out that server.js was using it after I added angular universal to my project, I believe its because im not using the latest version of It. – Khaled Jamal Jul 20 '19 at 09:54
@KhaledJamal thanks for raising your issue and have it archived for the post if someone share same problem – Nebojsa Sapic Jul 20 '19 at 18:15
I am also seeing same issue as @KhaledJamal when I converted my angular project into server side rendering by adding angular universal. – user2869612 Oct 24 '19 at 02:34
@user286912 I remember that was solved when I have updated the version, check out the following thread: https://stackoverflow.com/questions/57063659/deprecationwarning-buffer-is-deprecated-due-to-security-and-usability-issues?noredirect=1#comment100706031_57063659 – Khaled Jamal Oct 24 '19 at 08:53

iLuvLogix · Answer 2 · 2020-02-03T08:12:02.850

26

The use of the deprecated new Buffer() constructor (i.E. as used by Yarn) can cause deprecation warnings. Therefore one should NOT use the deprecated/unsafe Buffer constructor.

According to the deprecation warning new Buffer() should be replaced with one of:

Buffer.alloc()
Buffer.allocUnsafe() or
Buffer.from()

Another option in order to avoid this issue would be using the safe-buffer package instead.

You can also try (when using yarn..):

yarn global add yarn

as mentioned here: Link

Another suggestion from the comments (thx to gkiely): self-update

Note: self-update is not available. See policies for enforcing versions within a project

In order to update your version of Yarn, run

curl --compressed -o- -L https://yarnpkg.com/install.sh | bash

edited Feb 03 '20 at 08:12

answered Sep 04 '18 at 11:40

iLuvLogix

4,832
2
24
42

1

what if I don't have any new Buffer() in my code? I just have it in package-lock.json – Khaled Jamal Jul 16 '19 at 21:57
Easy way to update yarn: https://legacy.yarnpkg.com/en/docs/cli/self-update/ – gkiely Feb 01 '20 at 01:20

score 9 · Answer 3 · answered Jun 21 '20 at 10:22

var userPasswordString = new Buffer(baseAuth, 'base64').toString('ascii');

Change this line from your code to this -

var userPasswordString = Buffer.from(baseAuth, 'base64').toString('ascii');

or in my case, I gave the encoding in reverse order

var userPasswordString = Buffer.from(baseAuth, 'utf-8').toString('base64');

DeprecationWarning: Buffer() is deprecated due to security and usability issues when I move my script to another server

3 Answers3

Linked