MD5 Hashing Utility

1.3.5 · maintenance · verified Sun Apr 19

The `md5.js` package provides an MD5 hashing algorithm implementation written purely in JavaScript, designed to be compatible with Node.js's `crypto` module style. As of its current stable version 1.3.5, it offers a straightforward API for computing MD5 hashes from strings or streams. While it facilitates MD5 computation, it's crucial for developers to acknowledge that the MD5 algorithm is cryptographically compromised, particularly regarding its collision resistance, as highlighted by NIST SP 800-131A. This vulnerability makes it unsuitable for security-sensitive applications such as digital signatures, password hashing, or any scenario where collision resistance is paramount. The package is part of the broader `crypto-browserify` project, which aims to provide Node.js-compatible cryptographic primitives for browser environments, often through polyfills. It maintains a stable, rather than rapid, release cadence, reflecting its mature and foundational utility, despite the inherent cryptographic weaknesses of MD5 itself. Its key differentiator is its pure JavaScript nature, making it universally deployable without native dependencies.

Common errors

```
TypeError: MD5 is not a constructor
```
cause Attempting to call MD5 as a regular function (e.g., `MD5().update(...)`) or incorrect import in a CommonJS context that doesn't return a class.

fix Ensure you are using `const MD5 = require('md5.js')` and then instantiating it with `new MD5()` to create an MD5 object.
```
ReferenceError: MD5 is not defined
```
cause The `md5.js` module has not been correctly required or imported into the current scope.

fix Add `const MD5 = require('md5.js');` at the top of your JavaScript file or within the appropriate scope before attempting to use the `MD5` symbol.

Warnings

breaking The MD5 algorithm is cryptographically broken for collision resistance. It should NOT be used for security-sensitive applications such as digital signatures, password hashing, message authentication codes (MACs), or any scenario where two different inputs must yield different hashes.
Fix: For security-critical hashing, migrate to modern cryptographic hash functions like SHA-256, SHA-3, or Argon2 (for password hashing). This package should only be used for legacy compatibility, data integrity checks where collisions are not a security concern, or non-security-critical applications.
gotcha This package provides a pure JavaScript implementation of MD5. In Node.js environments, the built-in `node:crypto` module offers a native, typically faster implementation (e.g., `require('node:crypto').createHash('md5')`). Performance characteristics might differ.
Fix: If high performance in Node.js is critical and pure JavaScript portability isn't strictly required, consider using `node:crypto`'s native MD5 hashing instead. This package is primarily beneficial for browser environments via bundlers or specific environments where native crypto is unavailable.
gotcha The `md5.js` API does not fully mimic a standard Node.js `Duplex` stream for `pipe()` operations. While it has `write()` and `read()` methods, piping directly from an `MD5` instance to another writable stream after `end()` might not behave as expected for continuous data flow.
Fix: For stream-based hashing, use `write()` and `end()` to feed data, then `read()` to obtain the final hash `Buffer`. If integrating with complex stream pipelines, consider adapting to `node:crypto`'s `createHash('md5')` which offers a more robust stream interface.

Install

npm install md5.js npm
yarn add md5.js yarn
pnpm add md5.js pnpm

Imports

MD5
wrong:
```
import MD5 from 'md5.js'
```
correct:
```
const MD5 = require('md5.js')
```
This package is primarily CommonJS. While modern bundlers or Node.js's CJS-ESM interop might allow `import` syntax, the canonical and most reliable way to consume this library in Node.js is via `require`.
MD5 hash computation
wrong:
```
MD5('your data', 'hex')
```
correct:
```
new MD5().update('your data').digest('hex')
```
The MD5 class must be instantiated with `new` before calling `update()` to feed data and `digest()` to retrieve the hash. It is not a direct function call.
MD5 stream usage
wrong:
```
md5Stream.pipe(anotherStream)
```
correct:
```
const md5Stream = new MD5(); md5Stream.end('data'); const hash = md5Stream.read().toString('hex');
```
The MD5 instance is a Writable stream that processes input and can be read from (like a Readable stream) to get the final hash after `end()` is called. It does not implement the full Duplex stream interface for piping to other transforms in the same way `node:crypto`'s HASH objects do.

Quickstart

Demonstrates both synchronous string hashing and asynchronous, stream-like processing to compute MD5 hashes, outputting them in hexadecimal format.

const MD5 = require('md5.js');

// Compute MD5 hash of a string
const inputString = 'hello world';
const hash1 = new MD5().update(inputString).digest('hex');
console.log(`MD5 of '${inputString}': ${hash1}`);
// Expected: 5d41402abc4b2a76b9719d911017c592

// Compute MD5 hash using stream-like interface
const md5Stream = new MD5();
md5Stream.write('some ');
md5Stream.write('more ');
md5Stream.end('data'); // Signal end of input
const hash2 = md5Stream.read().toString('hex');
console.log(`MD5 of 'some more data': ${hash2}`);
// Expected: e6b4d32e5b7c4d519b7d0187a55c26b8

view raw JSON →