crypto: runtime deprecate multiple Hmac.digest() calls (DEP0200)

Anshikakalpana · Anshikakalpana · commit 46e1b14cc653 · 2026-05-05T00:08:59.000+05:30
diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
@@ -4558,6 +4558,21 @@ that have proven unresolveable. See [caveats of asynchronous customization hooks
 `module.registerHooks()` as soon as possible as `module.register()` will be
 removed in a future version of Node.js.
 
+### DEP0206: Calling `digest()` on an already-finalized `Hmac` instance
+
+<!-- YAML
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/XXXXX
+    description: Runtime-deprecation.
+-->
+
+Type: Runtime
+
+Calling [`hmac.digest()`][] more than once returns an empty buffer instead of
+throwing an error. This behavior is inconsistent with [`hash.digest()`][] and
+may lead to subtle bugs. Use the result of the first call instead.
+
 [DEP0142]: #dep0142-repl_builtinlibs
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
diff --git a/lib/internal/crypto/hash.js b/lib/internal/crypto/hash.js
@@ -87,6 +87,13 @@ const maybeEmitDeprecationWarning = getDeprecationWarningEmitter(
   },
 );
 
+const emitHmacDoubleDigestDeprecation = getDeprecationWarningEmitter(
+  'DEP0206',
+  'Calling digest() on an already-finalized Hmac instance is deprecated.',
+  undefined,
+  false,
+);
+
 function Hash(algorithm, options) {
   if (!new.target)
     return new Hash(algorithm, options);
@@ -183,6 +190,7 @@ Hmac.prototype.digest = function digest(outputEncoding) {
   const state = this[kState];
 
   if (state[kFinalized]) {
+    emitHmacDoubleDigestDeprecation();
     const buf = Buffer.from('');
     if (outputEncoding && outputEncoding !== 'buffer')
       return buf.toString(outputEncoding);
diff --git a/test/parallel/test-crypto-hmac-digest-deprecated.js b/test/parallel/test-crypto-hmac-digest-deprecated.js
@@ -0,0 +1,19 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const { createHmac } = require('crypto');
+
+common.expectWarning(
+  'DeprecationWarning',
+  'Calling digest() on an already-finalized Hmac instance is deprecated.',
+  'DEP0206',
+);
+
+const hmac = createHmac('sha256', 'key').update('data');
+hmac.digest();
+const second = hmac.digest();
+assert.deepStrictEqual(second, Buffer.from(''));
