Runtime-deprecate calling digest() on HMAC more than once

Description

> hash = require('crypto').createHash('sha256').update('data')
> hash.digest()
<Buffer 3a 6e b0 79 0f 39 ac 87 c9 4f 38 56 b2 dd 2c 5d 11 0e 68 11 60 22 61 a9 a9 23 d3 bb 23 ad c8 b7>
> hash.digest()
Uncaught Error [ERR_CRYPTO_HASH_FINALIZED]: Digest already called
    at Hash.digest (node:internal/crypto/hash:155:11) {
  code: 'ERR_CRYPTO_HASH_FINALIZED'
}

> hmac = require('crypto').createHmac('sha256', 'key').update('data')
> hmac.digest()
<Buffer 50 31 fe 3d 98 9c 6d 15 37 a0 13 fa 6e 73 9d a2 34 63 fd ae c3 b7 01 37 d8 28 e3 6a ce 22 1b d0>
> hmac.digest()
<Buffer >

Contributor guide

Tech stack

javascriptnodejs

Domain

backendsecurity

Issue type

security

DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.

2

Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.

1-3 hours

Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.

fresh

ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.

clear

Prerequisites

Node.js core development basicscrypto module internals

Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.

60

Research direction

Examine the HMAC class implementation in Node.js crypto module (likely in lib/internal/crypto/hmac.js). Understand the current behavior where calling digest() multiple times returns an empty buffer. Then implement a runtime deprecation warning using process.emitWarning when digest() is called more than once, following Node.js deprecation guidelines (see doc/api/deprecations.md). Also add tests for the deprecation warning.