Why is new Buffer(...) deprecated?

If you attempt to initialize a Buffer instance with the new keyword in Node.js, you will likely see the following error:

DeprecationWarning: Buffer() is deprecated due to security and usability issues. 
Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Buffer.from is considered the "safe" method to initialize a Buffer, but the reason for this is often not quite clear.

Uininitialized memory risk

When you call new Buffer(size), it allocates memory of the given size but may not clear it of any existing data. This can mean that the buffer contains old, potentially sensitive data from other parts of the program or system.

This creates a security risk, especially if the buffer contents are being exposed in responses and logs.

Ambiguous behavior

The new Buffer() constructor is overloaded, so it's not always clear what it's doing.

The Buffer.from and Buffer.alloc provide a more concise way to allocate space for binary data.