Discover which npm packages work in Cloudflare Workers. 395+ packages tested and working.
Showing runtime packages only. Build tools, CLI tools, and test frameworks are hidden by default.
Enable "Show build tools & incompatible" to see all 992 tested packages.
Showing 22 packages
bcrypt is a native module with C++ bindings that requires node:os and won't work in Workers. Use bcryptjs (pure JS implementation) or @cloudflare/workers-bcrypt (optimized for Workers) instead.
π‘ Alternative: bcryptjs or @cloudflare/workers-bcrypt
Error: No such module "node:os".
bcrypt-nodejs is deprecated and unmaintained since 2013. The package explicitly recommends using bcrypt or bcryptjs instead (see https://github.com/kelektiv/node.bcrypt.js/wiki/bcrypt-vs-brypt.js). While bcrypt-nodejs is pure JavaScript and might technically work, the recommended alternative bcryptjs works perfectly on Workers and is actively maintained.
π‘ Alternative: bcryptjs
Pure JavaScript bcrypt implementation - perfect alternative to native bcrypt which doesn't work on Workers. Both sync and async methods work. Use saltRounds of 10-12 for good security/performance balance.
import bcrypt from 'bcryptjs';
export default {
async fetch(request) {
const password = 'mypassword123';
// Hash password (both sync and async work)
const salt = bcrypt.genSaltSync(10);
const hash = bcrypt.hashSync(password, salt);
// Or use async versions
const asyncHash = await bcrypt.hash(password, 10);
// Verify password
const isValid = bcrypt.compareSync(password, hash);
const asyncValid = await bcrypt.compare(password, asyncHash);
return Response.json({ hash, isValid, asyncValid });
}
};Bitcoin BIP39 mnemonic code library. Generate and validate seed phrases.
import * as bip39 from 'bip39';
// Usage:
const mnemonic = bip39.generateMnemonic();
const isValid = bip39.validateMnemonic(mnemonic);
return { success: isValid, result: { wordCount: mnemonic.split(' ').length } };import { sign, unsign } from 'cookie-signature';
// Usage:
const val = sign('hello', 'secret');
const result = unsign(val, 'secret');
return { success: result === 'hello', result };CRC (Cyclic Redundancy Check) checksums - supports CRC1, CRC8, CRC16, CRC24, CRC32
import { crc32 } from 'crc';
// Usage:
const checksum = crc32('hello world');
return { success: typeof checksum === 'number' && checksum === 0x0d4a1185, result: '0x' + checksum.toString(16) };create-hash is a Node.js crypto.createHash polyfill (part of crypto-browserify) that provides hash digest functions (md5, sha1, sha256, sha512, etc.). Fails with 'Cannot read properties of undefined (reading 'slice')' due to Buffer implementation incompatibilities. Workers has the built-in Web Crypto API (crypto.subtle.digest) which is the modern standard for hashing and provides better performance.
π‘ Alternative: Web Crypto API (crypto.subtle.digest) - built-in
Crypto library for hashing (SHA256, MD5) and encryption (AES). Works on Workers. Consider Web Crypto API for better performance.
π‘ Alternative: built-in: crypto
import CryptoJS from 'crypto-js';
// Hash a string
const hash = CryptoJS.SHA256('hello world').toString();
// Encrypt/decrypt
const encrypted = CryptoJS.AES.encrypt('secret', 'password').toString();
const decrypted = CryptoJS.AES.decrypt(encrypted, 'password').toString(CryptoJS.enc.Utf8);
return { success: true, hash, decrypted };Pure JavaScript elliptic curve cryptography library for ECDSA, EdDSA, and ECDH operations. Supports curves: secp256k1, p192, p224, p256, p384, p521, curve25519, ed25519. Fails with 'Unexpected token ":"' parse error when bundled for Workers - likely due to code incompatible with Workers runtime. Workers has the built-in Web Crypto API (crypto.subtle) which provides native elliptic curve cryptography (ECDSA with P-256/P-384/P-521, ECDH) with better performance and security than pure JavaScript implementations.
π‘ Alternative: Web Crypto API (crypto.subtle.sign/verify with ECDSA, crypto.subtle.deriveKey/deriveBits with ECDH) - built-in
Error: Unexpected token ':'
DEPRECATED package - last published 6 years ago (2018). ethereumjs-tx is the legacy Ethereum transaction library for creating, signing, and serializing Ethereum transactions. Used for constructing raw Ethereum transactions with Transaction class that handles nonce, gasPrice, gasLimit, to, value, data fields. Supports EIP-155 replay protection, chain/hardfork configuration (mainnet, ropsten, custom networks), transaction signing with private keys via sign() method, and serialization for broadcast to Ethereum nodes. Part of the EthereumJS ecosystem (ethereumjs-util, ethereumjs-common, ethereumjs-vm). Official deprecation message: 'New package name format for new versions: @ethereumjs/tx. Please update.' The package has been superseded by @ethereumjs/tx which has modern features, active maintenance, and improved TypeScript support. Similar Ethereum transaction libraries include ethers.js (more complete, recommended), web3.js (older alternative), viem (modern TypeScript alternative).
π‘ Alternative: @ethereumjs/tx (official successor) - may work with Workers, needs testing
DEPRECATED - old package (last published 2022). Official successor is @ethereumjs/util (v10.x, actively maintained, published 2025-11). The old package provides Ethereum utility functions: account/address operations (creation, validation, conversion, checksums), byte manipulation helpers, hash functions (Keccak-256), signature operations (signing, validation, recovery), constants (KECCAK256_NULL_S, etc.), and re-exports BN.js and rlp. Modern @ethereumjs/util has better TypeScript support, improved APIs, and active maintenance with latest Ethereum specs. Part of EthereumJS ecosystem (ethereumjs-tx β @ethereumjs/tx, ethereumjs-common β @ethereumjs/common, etc.). Dependencies include create-hash, ethereum-cryptography, bn.js, rlp - all pure JS crypto. Similar Ethereum utilities include ethers.js utils, web3.js utils, viem utils.
π‘ Alternative: @ethereumjs/util (v10.x, official successor) - may work with Workers, needs testing
Pure JavaScript hash functions (SHA256, SHA512, RIPEMD160). Works on Workers.
import { sha256, sha512 } from 'hash.js';
const hash = sha256().update('hello world').digest('hex');
return { success: hash.length === 64, hash };Recommended JWT library for Workers. Supports JWT signing/verification (HS256, RS256, ES256), JWE encryption, JWK key management. Uses Web Crypto API - perfect for edge.
import * as jose from 'jose';
export default {
async fetch(request) {
// Sign JWT with HS256
const secret = new TextEncoder().encode('my-secret-32-chars-minimum-key!');
const jwt = await new jose.SignJWT({ sub: 'user123', role: 'admin' })
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime('2h')
.sign(secret);
// Verify JWT
const { payload } = await jose.jwtVerify(jwt, secret);
// RSA key pair
const { publicKey, privateKey } = await jose.generateKeyPair('RS256');
// Encrypted JWT (JWE)
const key = await jose.generateSecret('A256GCM');
const jwe = await new jose.EncryptJWT({ secret: 'data' })
.setProtectedHeader({ alg: 'dir', enc: 'A256GCM' })
.encrypt(key);
return Response.json({ jwt, payload });
}
};import sha256 from 'js-sha256';
// Usage:
const result = sha256('hello');
return { success: result.length === 64, result };import jwt from 'jsonwebtoken';
// Usage:
const token = jwt.sign({ sub: '123' }, 'secret');
const decoded = jwt.verify(token, 'secret');
return { success: decoded.sub === '123', result: decoded };MD5 hash function
import md5 from 'md5';
// Usage:
const result = md5('hello');
return { success: result === '5d41402abc4b2a76b9719d911017c592', result };Cryptography utilities
import forge from 'node-forge';
// Usage:
const md = forge.md.sha256.create();
md.update('test');
const result = md.digest().toHex();
return { success: result.length === 64, result };Generate consistent hashes from JavaScript objects regardless of key order. Useful for caching and deduplication.
import hash from 'object-hash';
// Key order doesn't matter
const h1 = hash({ a: 1, b: 2 });
const h2 = hash({ b: 2, a: 1 });
return { success: h1 === h2, hash: h1 };Crypto random bytes generation
import randomBytes from 'randombytes';
// Usage:
const bytes = randomBytes(16);
return { success: bytes.length === 16, result: { length: bytes.length } };Native C++ bindings - use @noble/secp256k1 for pure JS implementation
π‘ Alternative: @noble/secp256k1
import sha1 from 'sha1';
// Usage:
const result = sha1('hello');
return { success: result === 'aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d', result };Cryptography library for signing, encryption, and hashing
import nacl from 'tweetnacl';
// Usage:
const pair = nacl.sign.keyPair();
const message = new Uint8Array([1, 2, 3]);
const signed = nacl.sign(message, pair.secretKey);
const opened = nacl.sign.open(signed, pair.publicKey);
return { success: opened !== null && opened.length === 3, result: 'signature verified' };Many popular npm packages are build tools (webpack, babel), test frameworks (jest, mocha), or CLI utilities (chalk, commander) that run during developmentβnot in production. Cloudflare Workers is a runtime environment for production code. These tools still work great for building your Workers project, they just don't run inside Workers themselves.
Yes! As of September 2025, Workers supports node:http server APIs.
Use httpServerHandler from cloudflare:node to wrap Express, Koa, or other Node.js HTTP frameworks.
For new projects, we recommend lightweight alternatives like Hono or itty-router which are built for edge environments.
Workers supports database clients like pg (PostgreSQL) and mysql2 when connecting to public endpoints.
For production, use edge-optimized solutions: Cloudflare D1 (SQLite), Neon (serverless Postgres), PlanetScale (MySQL), or Upstash Redis.
Common reasons: Native modules (C++ bindings like sharp, bcrypt) don't workβuse alternatives like bcryptjs or Cloudflare Images.
Filesystem access (fs module for local files) isn't availableβuse KV, R2, or D1 instead.
TCP sockets (raw socket.io, redis) aren't supportedβuse Durable Objects, WebSockets, or HTTP-based alternatives.