safer-buffer

2.1.2 verified Sat Apr 25 auth: no javascript maintenance

A polyfill for the modern Buffer API (Buffer.alloc, Buffer.from, Buffer.allocUnsafe, Buffer.allocUnsafeSlow) that works on Node.js from 0.8 to current, but unlike safe-buffer it does not silently allow the deprecated Buffer() constructor. Latest version: 2.1.2. This package is a drop-in replacement that forces the use of the safe API by exporting only the safe Buffer methods, eliminating the security footgun of uninitialized memory allocation. It is intended as a temporary measure for projects that must support older Node.js versions. For modern Node.js (>=4.5.0 and >=5.9.0), direct use of the built-in Buffer.alloc and Buffer.from is recommended.

Common errors

error TypeError: Buffer is not a function ↓

cause Trying to call Buffer() as a function after require('safer-buffer').Buffer

fix

Use Buffer.alloc() or Buffer.from() instead of Buffer().

error ReferenceError: Buffer is not defined ↓

cause Not importing the Buffer from safer-buffer, or expecting it to be global (global Buffer may not be polyfilled).

fix

Add const Buffer = require('safer-buffer').Buffer at the top of the file.

error TypeError: (intermediate value).Buffer is not a constructor ↓

cause Using require('safer-buffer') directly (without .Buffer) and then trying to call it as a constructor.

fix

Use require('safer-buffer').Buffer instead of require('safer-buffer').

Warnings

breaking safer-buffer does not export the Buffer() constructor; only Buffer.alloc, Buffer.allocUnsafe, Buffer.allocUnsafeSlow, and Buffer.from are available. Using Buffer(10) will throw a ReferenceError or TypeError. ↓

fix Replace all Buffer() and new Buffer() calls with Buffer.alloc() or Buffer.from() accordingly.

deprecated safer-buffer is a polyfill for older Node.js versions. For Node.js >=4.5.0 or >=5.9.0, the built-in Buffer supports the safe API directly. Using this package on modern Node is unnecessary and may mask code that should be updated. ↓

fix Remove the require/import of safer-buffer and use the global Buffer (which already has .alloc and .from) if your minimum Node version is 4.5+ or 5.9+.

gotcha When using ES modules (import), the package must be imported as import { Buffer } from 'safer-buffer'. There is no default export. ↓

fix Use import { Buffer } from 'safer-buffer'; do not use import SaferBuffer from 'safer-buffer'.

gotcha The package does not replace the global Buffer object in the Node.js environment. It only exports a safe Buffer constructor. Code that uses the global Buffer (e.g., in browser environments or Node's global) will still use the original unsafe Buffer if not shadowed. ↓

fix Always assign the result of require('safer-buffer').Buffer to a local variable named Buffer in each module that needs it.

deprecated The safe-buffer package (predecessor) is known to silently allow unsafe usage. safer-buffer was created to fix that. If you are migrating from safe-buffer, ensure you replace all require('safe-buffer') with require('safer-buffer') and update the import pattern. ↓

fix Replace const Buffer = require('safe-buffer').Buffer with const Buffer = require('safer-buffer').Buffer.

Install

npm install safer-buffer

yarn add safer-buffer

pnpm add safer-buffer

Imports

Buffer
wrong
```
const Buffer = require('safer-buffer')
```
correct
```
const Buffer = require('safer-buffer').Buffer
```
The module exports an object with a Buffer property. The default export is not a Buffer constructor.
SaferBuffer
wrong
```
import SaferBuffer from 'safer-buffer'
```
correct
```
import { Buffer } from 'safer-buffer'
```
ESM named import is required; there is no default export. For ESM environments, use import { Buffer } from 'safer-buffer'.
Buffer.alloc
wrong
```
Buffer.allocUnsafe(size)
```
correct
```
Buffer.alloc(size, fill, encoding)
```
Buffer.alloc is safe (initializes memory). Buffer.allocUnsafe returns uninitialized memory and should be used with caution.
Buffer.from
wrong
```
new Buffer(array)
```
correct
```
Buffer.from(array)
```
Buffer.from is the safe way to create a buffer from data. new Buffer() is deprecated and unsafe in older Node.js.

Quickstart

Demonstrates safe Buffer usage with safer-buffer: alloc, from, concat, and the prevention of the unsafe Buffer() constructor.

const Buffer = require('safer-buffer').Buffer;

// Safe allocation (initialized to zero)
const buf1 = Buffer.alloc(10);
console.log(buf1); // <Buffer 00 00 00 00 00 00 00 00 00 00>

// Safe creation from string
const buf2 = Buffer.from('hello', 'utf8');
console.log(buf2.toString()); // 'hello'

// Safe concatenation
const buf3 = Buffer.concat([buf1, buf2]);
console.log(buf3.length); // 15

// Note: The following would throw an error because Buffer() is not exported:
// const buf4 = Buffer(10); // TypeError: Buffer is not a function (or similar)

// To use the deprecated API (unsafe), you must explicitly require the original buffer
const OriginalBuffer = require('buffer').Buffer;
const unsafeBuf = new OriginalBuffer(10); // not recommended