npmpackage.info

argon2

Node.js bindings for Argon2 hashing algorithm

0.41.1

1,902

MIT

JavaScript

3.07 kB

30,286,004 5.5

Installations

npm install argon2

Developer Guide

BETA

Typescript

Yes

Module System

CommonJS

Min. Node Version

>=16.17.0

Node Version

20.17.0

NPM Version

10.8.2 Score

93.5

Supply Chain

99.5

Quality

Maintenance

100

Vulnerability

99.6

License

Pull Requests

Open

4

Total

201

Closed

55

Merged

142

Issues

Open

3

Total

238

Closed

235

Releases

v0.41.1

Published on 31 Aug 2024

v0.41.0

Published on 25 Aug 2024

v0.40.0

Published on 22 Feb 2024

v0.31.2

Published on 04 Nov 2023

v0.31.1

Published on 01 Sept 2023

v0.31.0

Published on 02 Aug 2023

View all 60 releases

Contributors

Unable to fetch Contributors

View all 43 contributors

Languages

JavaScript

C++

JavaScript (77.91%)

C++ (22.09%)

Developer

ranisalt

Download Statistics

Total Downloads

30,286,004

Last Day

12,659

Last Week

245,599

Last Month

1,145,669

Last Year

12,495,590

GitHub Statistics

1,902 Stars

741 Commits

96 Forks

17 Watching

13 Branches

43 Contributors

Bundle Size

7.94 kB

Minified

3.07 kB

Minified + Gzipped

Bundlephobia

Maintainers

Package Meta Information

Latest Version

0.41.1

Package Id

argon2@0.41.1

Unpacked Size

846.14 kB

Size

315.29 kB

File Count

NPM Version

10.8.2

Node Version

20.17.0

Publised On

31 Aug 2024

Total Downloads

Cumulative downloads

Total Downloads

30,286,004

Last day

-76%

12,659

Compared to previous day

Last week

-7.8%

245,599

Compared to previous week

Last month

-2.1%

1,145,669

Compared to previous month

Last year

58%

12,495,590

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@phc/format node-addon-api node-gyp-build

Dev Dependencies

@biomejs/biome @types/node node-gyp prebuildify typescript

Versions

node-argon2

Bindings to the reference Argon2 implementation.

Want to use it on the command line? Instead check node-argon2-cli.

Usage

It's possible to hash using either Argon2i, Argon2d or Argon2id (default), and verify if a password matches a hash.

To hash a password:

1const argon2 = require('argon2');
2
3try {
4  const hash = await argon2.hash("password");
5} catch (err) {
6  //...
7}

To see how you can modify the output (hash length, encoding) and parameters (time cost, memory cost and parallelism), read the wiki

To verify a password:

1try {
2  if (await argon2.verify("<big long hash>", "password")) {
3    // password match
4  } else {
5    // password did not match
6  }
7} catch (err) {
8  // internal failure
9}

Migrating from another hash function

See this article on the wiki for steps on how to migrate your existing code to Argon2. It's easy!

TypeScript usage

A TypeScript type declaration file is published with this module. If you are using TypeScript 2.0.0 or later, that means you do not need to install any additional typings in order to get access to the strongly typed interface. Simply use the library as mentioned above.

1import * as argon2 from "argon2";
2
3const hash = await argon2.hash(..);

Prebuilt binaries

node-argon2 provides prebuilt binaries from v0.26.0 onwards. They are built every release using GitHub Actions.

The current prebuilt binaries are built and tested with the following systems:

Ubuntu 20.04 (x86-64; ARM64 from v0.28.2)
MacOS 11 (x86-64)
MacOS 12 (ARM64 from v0.29.0)
Windows Server 2019 (x86-64)
Alpine Linux 3.18 (x86-64 from v0.28.1; ARM64 from v0.28.2)
FreeBSD 14 (x86-64 from v0.29.1)

Binaries should also work for any version more recent than the ones listed above. For example, the binary for Ubuntu 20.04 also works on Ubuntu 22.04, or any other Linux system that ships a newer version of glibc; the binary for MacOS 11 also works on MacOS 12. If your platform is below the above requirements, you can follow the Before installing section below to manually compile from source. It is also always recommended to build from source to ensure consistency of the compiled module.

Before installing

You can skip this section if the prebuilt binaries work for you.

You MUST have a node-gyp global install before proceeding with the install, along with GCC >= 5 / Clang >= 3.3. On Windows, you must compile under Visual Studio 2015 or newer.

node-argon2 works only and is tested against Node >=18.0.0.

OSX

To install GCC >= 5 on OSX, use homebrew:

1$ brew install gcc

Once you've got GCC installed and ready to run, you then need to install node-gyp, you must do this globally:

1$ npm install -g node-gyp

Finally, once node-gyp is installed and ready to go, you can install this library, specifying the GCC or Clang binary to use:

1$ CXX=g++-12 npm install argon2

NOTE: If your GCC or Clang binary is named something different than g++-12, you'll need to specify that in the command.

FAQ

How do I manually rebuild the binaries?

1$ npx @mapbox/node-pre-gyp rebuild -C ./node_modules/argon2

Run @mapbox/node-pre-gyp instead of node-gyp because node-argon2's binding.gyp file relies on variables from @mapbox/node-pre-gyp.

You can omit npx @mapbox and use just node-pre-gyp if you have a global installation of @mapbox/node-pre-gyp, otherwise prefixing npx will use the local one in ./node_modules/.bin

How do I skip installing prebuilt binaries and manually compile from source?

You can do either of the two methods below:

Force build from source on install.

1$ npm install argon2 --build-from-source

Ignore node-argon2 install script and build manually.

1$ npm install argon2 --ignore-scripts
2$ npx node-gyp rebuild -C ./node_modules/argon2

I installed Node as a snap, and I can't install node-argon2.

This seems to be an issue related to snap (see #345 (comment)). Installing Node with another package manager, such as asdf or nvm, is a possible workaround.

Differences from node-argon2-ffi

The interface of both are very similar, notably, node-argon2-ffi splits the argon2i and argon2d function set, but this module also has the argon2id option, which node-argon2-ffi does not support. Also, while node-argon2-ffi suggests you promisify crypto.randomBytes, node-argon2 library does that internally.

node-argon2 is much lighter than node-argon2-ffi, at 184 KB for argon2@0.29.1 against 2.56 MB for argon2-ffi@1.2.0. Performance-wise, the libraries are equal. You can run the same benchmark suite if you are curious, but both can perform around 130 hashes/second on an Intel Core i5-4460 @ 3.2GHz with default options.

This library is implemented natively, meaning it is an extension to the node engine. Thus, half of the code is C++ bindings, the other half is Javascript functions. node-argon2-ffi uses ffi, a mechanism to call functions from one language in another, and handles the type bindings (e.g. JS Number -> C++ int).

Contributors

Code contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

License

Work licensed under the MIT License. Please check P-H-C/phc-winner-argon2 for license over Argon2 and the reference implementation.

No vulnerabilities found.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

Maintained

Determines if the project is "actively maintained".

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Packaging

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

7

SAST

Determines if the project uses static code analysis.

5

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 5

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/clang-format.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/clang-format.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:197: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
Info: 0 out of 22 GitHub-owned GitHubAction dependencies pinned
Info: 0 out of 4 third-party GitHubAction dependencies pinned
Info: 8 out of 8 npmCommand dependencies pinned

1

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

Fuzzing

Determines if the project uses fuzzing.

0

Security-Policy

Determines if the project has published a security policy.

0

Signed-Releases

Determines if the project cryptographically signs release artifacts.

Score

5.5

/10

Last Scanned on 2024-12-16

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to argon2

@node-rs/argon2

2.0.2

RustCrypto: Argon2 binding for Node.js

@node-rs/argon2-linux-x64-gnu

2.0.2

RustCrypto: Argon2 binding for Node.js

@node-rs/argon2-linux-x64-musl

2.0.2

RustCrypto: Argon2 binding for Node.js

@softvisio/argon2

1.6.26

Argon2 re-packed