{"id":18769,"library":"safer-buffer","title":"safer-buffer","description":"A polyfill for the modern Buffer API (Buffer.alloc, Buffer.from, Buffer.allocUnsafe, Buffer.allocUnsafeSlow) that works on Node.js from 0.8 to current, but unlike safe-buffer it does not silently allow the deprecated Buffer() constructor. Latest version: 2.1.2. This package is a drop-in replacement that forces the use of the safe API by exporting only the safe Buffer methods, eliminating the security footgun of uninitialized memory allocation. It is intended as a temporary measure for projects that must support older Node.js versions. For modern Node.js (>=4.5.0 and >=5.9.0), direct use of the built-in Buffer.alloc and Buffer.from is recommended.","status":"maintenance","version":"2.1.2","language":"javascript","source_language":"en","source_url":"https://github.com/ChALkeR/safer-buffer","tags":["javascript"],"install":[{"cmd":"npm install safer-buffer","lang":"bash","label":"npm"},{"cmd":"yarn add safer-buffer","lang":"bash","label":"yarn"},{"cmd":"pnpm add safer-buffer","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The module exports an object with a Buffer property. The default export is not a Buffer constructor.","wrong":"const Buffer = require('safer-buffer')","symbol":"Buffer","correct":"const Buffer = require('safer-buffer').Buffer"},{"note":"ESM named import is required; there is no default export. For ESM environments, use import { Buffer } from 'safer-buffer'.","wrong":"import SaferBuffer from 'safer-buffer'","symbol":"SaferBuffer","correct":"import { Buffer } from 'safer-buffer'"},{"note":"Buffer.alloc is safe (initializes memory). Buffer.allocUnsafe returns uninitialized memory and should be used with caution.","wrong":"Buffer.allocUnsafe(size)","symbol":"Buffer.alloc","correct":"Buffer.alloc(size, fill, encoding)"},{"note":"Buffer.from is the safe way to create a buffer from data. new Buffer() is deprecated and unsafe in older Node.js.","wrong":"new Buffer(array)","symbol":"Buffer.from","correct":"Buffer.from(array)"}],"quickstart":{"code":"const Buffer = require('safer-buffer').Buffer;\n\n// Safe allocation (initialized to zero)\nconst buf1 = Buffer.alloc(10);\nconsole.log(buf1); // <Buffer 00 00 00 00 00 00 00 00 00 00>\n\n// Safe creation from string\nconst buf2 = Buffer.from('hello', 'utf8');\nconsole.log(buf2.toString()); // 'hello'\n\n// Safe concatenation\nconst buf3 = Buffer.concat([buf1, buf2]);\nconsole.log(buf3.length); // 15\n\n// Note: The following would throw an error because Buffer() is not exported:\n// const buf4 = Buffer(10); // TypeError: Buffer is not a function (or similar)\n\n// To use the deprecated API (unsafe), you must explicitly require the original buffer\nconst OriginalBuffer = require('buffer').Buffer;\nconst unsafeBuf = new OriginalBuffer(10); // not recommended","lang":"javascript","description":"Demonstrates safe Buffer usage with safer-buffer: alloc, from, concat, and the prevention of the unsafe Buffer() constructor."},"warnings":[{"fix":"Replace all Buffer() and new Buffer() calls with Buffer.alloc() or Buffer.from() accordingly.","message":"safer-buffer does not export the Buffer() constructor; only Buffer.alloc, Buffer.allocUnsafe, Buffer.allocUnsafeSlow, and Buffer.from are available. Using Buffer(10) will throw a ReferenceError or TypeError.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Remove the require/import of safer-buffer and use the global Buffer (which already has .alloc and .from) if your minimum Node version is 4.5+ or 5.9+.","message":"safer-buffer is a polyfill for older Node.js versions. For Node.js >=4.5.0 or >=5.9.0, the built-in Buffer supports the safe API directly. Using this package on modern Node is unnecessary and may mask code that should be updated.","severity":"deprecated","affected_versions":">=2.0.0"},{"fix":"Use import { Buffer } from 'safer-buffer'; do not use import SaferBuffer from 'safer-buffer'.","message":"When using ES modules (import), the package must be imported as import { Buffer } from 'safer-buffer'. There is no default export.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Always assign the result of require('safer-buffer').Buffer to a local variable named Buffer in each module that needs it.","message":"The package does not replace the global Buffer object in the Node.js environment. It only exports a safe Buffer constructor. Code that uses the global Buffer (e.g., in browser environments or Node's global) will still use the original unsafe Buffer if not shadowed.","severity":"gotcha","affected_versions":">=2.0.0"},{"fix":"Replace const Buffer = require('safe-buffer').Buffer with const Buffer = require('safer-buffer').Buffer.","message":"The safe-buffer package (predecessor) is known to silently allow unsafe usage. safer-buffer was created to fix that. If you are migrating from safe-buffer, ensure you replace all require('safe-buffer') with require('safer-buffer') and update the import pattern.","severity":"deprecated","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Use Buffer.alloc() or Buffer.from() instead of Buffer().","cause":"Trying to call Buffer() as a function after require('safer-buffer').Buffer","error":"TypeError: Buffer is not a function"},{"fix":"Add const Buffer = require('safer-buffer').Buffer at the top of the file.","cause":"Not importing the Buffer from safer-buffer, or expecting it to be global (global Buffer may not be polyfilled).","error":"ReferenceError: Buffer is not defined"},{"fix":"Use require('safer-buffer').Buffer instead of require('safer-buffer').","cause":"Using require('safer-buffer') directly (without .Buffer) and then trying to call it as a constructor.","error":"TypeError: (intermediate value).Buffer is not a constructor"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}