Fix dashboard runtime crash on Node.js v24.0.0 and v25.x (removed Buffer.SlowBuffer)

[a-magdy]

Important

Fixes a runtime crash on Node.js v24.0.0 and v25.x.
Node v24.0.1 through v24.x is unaffected (the runtime team restored SlowBuffer after the accidental v24.0.0 removal). The patch is a no-op on Node versions that still expose SlowBuffer.

Closes #88

Problem

After npm install && npm run dev, every page returns HTTP 500 with:

TypeError: Cannot read properties of undefined (reading 'prototype')
    at .../node_modules/buffer-equal-constant-time/index.js:37:35

The crash chain:

services/cosmos-db-service.ts → @azure/identity → @azure/msal-node → jsonwebtoken → jws → jwa → buffer-equal-constant-time@1.0.1

buffer-equal-constant-time is unmaintained (last release 2014) and references require('buffer').SlowBuffer.prototype at module top level. Buffer.SlowBuffer was deprecated in Node.js v6 and has since been removed from the buffer module, so the property access throws as soon as the module is required.

See #88 for the full diagnosis.

Fix

Use patch-package to keep a small reviewable diff against the offending file under src/dashboard/patches/, and wire patch-package into postinstall so the patch reapplies after every npm install. The patched code treats SlowBuffer as optional — behaviour is unchanged on older Node versions, and the module loads cleanly on newer ones.

Files

File	Change
src/dashboard/package.json	Add patch-package devDep + "postinstall": "patch-package" script.
src/dashboard/package-lock.json	Locked. The extra entries are patch-package's own deps plus minor dedup of shared ljharb/* packages.
src/dashboard/patches/buffer-equal-constant-time+1.0.1.patch	The patch itself: makes SlowBuffer access optional.
src/dashboard/patches/README.md	Explains the patch, when to update it, and how to remove it once upstream is fixed.
README.md	Short pointer to the patches README so first-time contributors see the patch step.
.gitignore (root)	Ignore .DS_Store and *.env files at the repo root. The dashboard .env was previously only ignored under src/dashboard/, so a token at the repo root could be committed by accident.

Verification

• npm install → patch-package reports buffer-equal-constant-time@1.0.1 ✔
• npm run dev → GET / returns 200
• npm run build → succeeds
• Tested on Node.js v25.9.0, macOS

Risk

Low. The patch only modifies one file inside node_modules, gated on SlowBuffer being defined, so it is a no-op on older Node releases.

Context — why now?

This isn't a regression in the dashboard; the Node.js runtime moved underneath it after main was last touched.

Date	Node version	What changed
2016	v6.0.0	SlowBuffer deprecated (DEP0030, doc-only).
2025-04	v24.0.0	SlowBuffer was accidentally removed from the buffer module — the first version that breaks the dashboard.
2025-04	v24.0.1	Restored as runtime-deprecation only, so v24.0.1+ within the v24 line still works.
current	v25.x	SlowBuffer is undefined again (verified empirically on v25.9.0).

Last commit on upstream main is 01ef37d from 2025-07-29, so none of this had happened yet — the maintainers couldn't have seen the failure.

[a-magdy]

@microsoft-github-policy-service agree