{"id":10680,"library":"create-hmac","title":"Node.js-style HMACs for Browsers","description":"create-hmac is a foundational package within the crypto-browserify ecosystem, designed to provide a Node.js-compatible API for HMAC (Hash-based Message Authentication Code) functionality, primarily for browser environments. It shims the Node.js `crypto.createHmac` API, allowing code written for Node.js to function in the browser without modification. For Node.js environments, it utilizes the native `crypto` module, ensuring optimal performance. The current stable version is 1.1.7. Due to the static nature of cryptographic algorithms implemented and its status as a shim for a well-defined API, its release cadence is infrequent, focusing on stability rather than active feature development. Its key differentiator is providing API compatibility, enabling universal JavaScript codebases to perform HMAC operations across different runtimes reliably, though modern browser applications might prefer the Web Crypto API for native performance and security benefits.","status":"maintenance","version":"1.1.7","language":"javascript","source_language":"en","source_url":"https://github.com/crypto-browserify/createHmac","tags":["javascript","crypto","hmac"],"install":[{"cmd":"npm install create-hmac","lang":"bash","label":"npm"},{"cmd":"yarn add create-hmac","lang":"bash","label":"yarn"},{"cmd":"pnpm add create-hmac","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"This package is primarily a CommonJS module. While modern bundlers (e.g., Webpack, Rollup) can process `require()` calls and make it available in ESM projects, direct `import` syntax might not work out-of-the-box in pure ESM environments without specific import resolution configuration.","wrong":"import { createHmac } from 'create-hmac'","symbol":"createHmac","correct":"const createHmac = require('create-hmac')"},{"note":"While primarily CJS, if using TypeScript or an ESM-compatible bundler, a default import might be inferred. However, `create-hmac` does not ship with its own TypeScript types, so `@types/create-hmac` would be required for full type safety.","wrong":"import { createHmac } from 'create-hmac';","symbol":"createHmac (with types)","correct":"import createHmac from 'create-hmac';"}],"quickstart":{"code":"const createHmac = require('create-hmac');\nconst { Buffer } = require('buffer'); // Polyfill for browser environments\n\n// Example 1: Synchronous HMAC generation\nconst secretKeySync = Buffer.from('supersecret', 'utf8');\nconst hmacSync = createHmac('sha256', secretKeySync);\nhmacSync.update('This is the message to sign.');\nconst digestSync = hmacSync.digest('hex');\nconsole.log('Synchronous HMAC (SHA256, hex):', digestSync);\n\n// Example 2: HMAC as a stream\nconst secretKeyStream = Buffer.from('another-secret', 'utf8');\nconst hmacStream = createHmac('sha512', secretKeyStream);\n\nhmacStream.on('data', chunk => {\n  console.log('Stream chunk:', chunk.toString('hex'));\n});\n\nhmacStream.on('end', () => {\n  console.log('Stream HMAC generation complete.');\n});\n\nhmacStream.write('Part one of the streamed data.');\nhmacStream.write('Part two of the streamed data.');\nhmacStream.end();","lang":"javascript","description":"This quickstart demonstrates both synchronous and streaming usage of `createHmac` with SHA-256 and SHA-512 algorithms, showcasing how to generate a digest and how to process data as a stream, similar to Node.js's native crypto module."},"warnings":[{"fix":"For new browser-only projects or sections of code, consider migrating to the native `window.crypto.subtle` API. For isomorphic code, consider conditional imports or wrappers that use `create-hmac` in Node.js/legacy browsers and Web Crypto in modern browsers.","message":"The `create-hmac` package is part of the `crypto-browserify` project, which aims to polyfill Node.js's `crypto` module for browser environments. While functional, modern browser applications are encouraged to use the native Web Crypto API for better performance, security, and integration with the browser's cryptographic primitives.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Regularly audit dependencies for maintenance status. For critical applications, consider alternative, actively maintained cryptographic libraries or prioritize migration to Web Crypto API for browser environments. If continued use is necessary, ensure thorough testing.","message":"This package has seen very limited maintenance and updates since 2019. While the underlying cryptographic algorithms are stable, the lack of active development means that it may not address new browser-specific quirks, performance optimizations, or potential future vulnerabilities promptly. Relying on unmaintained dependencies, especially in security-sensitive areas, carries inherent risks.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"You need to explicitly polyfill `Buffer` in your browser environment. This is commonly done by installing and importing the `buffer` package from npm: `npm install buffer` and then `const { Buffer } = require('buffer');` at the top of your files, or configuring your bundler (e.g., Webpack's `fallback` option) to provide it.","cause":"In browser environments, the `Buffer` global object, which is native to Node.js, is not automatically available. `create-hmac` expects `Buffer` instances for keys and input.","error":"ReferenceError: Buffer is not defined"},{"fix":"Ensure all data passed to `hmac.update()` is converted to a string, Buffer, or ArrayBuffer first. For example, `hmac.update(JSON.stringify(myObject))` or `hmac.update(Buffer.from(myArray))`.","cause":"The `hmac.update()` method expects its input to be a string, a Node.js `Buffer`, or an `ArrayBuffer`. Passing other types (e.g., plain JavaScript objects or numbers) will result in this error.","error":"Error: Not a string, buffer, or ArrayBuffer"}],"ecosystem":"npm"}