Gathering detailed insights and metrics for argon2
Gathering detailed insights and metrics for argon2
Installations
npm install argon2Developer Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=16.17.0
Node Version
20.19.0
NPM Version
10.8.2
Score
96.5
Supply Chain
99.5
Quality
78.5
Maintenance
100
Vulnerability
99.6
License
Releases
61
Languages
2
JavaScript
C++
JavaScript (76.61%)
C++ (23.39%)
Developer
Download Statistics
Total Downloads
37,398,995
Last Day
20,241
Last Week
343,810
Last Month
1,426,363
Last Year
14,975,109
GitHub Statistics
MIT License
2,012 Stars
764 Commits
97 Forks
16 Watchers
11 Branches
47 Contributors
Updated on Jul 03, 2025
Bundle Size
7.96 kB
Minified
3.02 kB
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
0.43.0
Package Id
argon2@0.43.0
Unpacked Size
919.82 kB
Size
369.09 kB
File Count
35
NPM Version
10.8.2
Node Version
20.19.0
Published on
Apr 24, 2025
Total Downloads
Cumulative downloads
Total Downloads
37,398,995
Dependencies
3
node-argon2
Bindings to the reference Argon2 implementation.
Usage
It's possible to hash using either Argon2i, Argon2d or Argon2id (default), and verify if a password matches a hash.
To hash a password:
1const argon2 = require('argon2'); 2 3try { 4 const hash = await argon2.hash("password"); 5} catch (err) { 6 //... 7}
To see how you can modify the output (hash length, encoding) and parameters (time cost, memory cost and parallelism), read the wiki
To verify a password:
1try { 2 if (await argon2.verify("<big long hash>", "password")) { 3 // password match 4 } else { 5 // password did not match 6 } 7} catch (err) { 8 // internal failure 9}
Migrating from another hash function
See this article on the wiki for steps on how to migrate your existing code to Argon2. It's easy!
TypeScript usage
A TypeScript type declaration file is published with this module. If you are using TypeScript 2.0.0 or later, that means you do not need to install any additional typings in order to get access to the strongly typed interface. Simply use the library as mentioned above.
1import * as argon2 from "argon2"; 2 3const hash = await argon2.hash(..);
Prebuilt binaries
node-argon2 provides prebuilt binaries from v0.26.0 onwards. They are
built every release using GitHub Actions.
The current prebuilt binaries are built and tested with the following systems:
- Ubuntu 20.04 (x86-64; ARM64 from v0.28.2)
- MacOS 11 (x86-64)
- MacOS 12 (ARM64 from v0.29.0)
- Windows Server 2019 (x86-64)
- Alpine Linux 3.18 (x86-64 from v0.28.1; ARM64 from v0.28.2)
- FreeBSD 14 (x86-64 from v0.29.1)
Binaries should also work for any version more recent than the ones listed above. For example, the binary for Ubuntu 20.04 also works on Ubuntu 22.04, or any other Linux system that ships a newer version of glibc; the binary for MacOS 11 also works on MacOS 12. If your platform is below the above requirements, you can follow the Before installing section below to manually compile from source. It is also always recommended to build from source to ensure consistency of the compiled module.
Before installing
You can skip this section if the prebuilt binaries work for you.
You MUST have a node-gyp global install before proceeding with the install, along with GCC >= 5 / Clang >= 3.3. On Windows, you must compile under Visual Studio 2015 or newer.
node-argon2 works only and is tested against Node >=18.0.0.
OSX
To install GCC >= 5 on OSX, use homebrew:
1$ brew install gcc
Once you've got GCC installed and ready to run, you then need to install node-gyp, you must do this globally:
1$ npm install -g node-gyp
Finally, once node-gyp is installed and ready to go, you can install this library, specifying the GCC or Clang binary to use:
1$ CXX=g++-12 npm install argon2
NOTE: If your GCC or Clang binary is named something different than g++-12,
you'll need to specify that in the command.
FAQ
How do I manually rebuild the binaries?
1$ npx @mapbox/node-pre-gyp rebuild -C ./node_modules/argon2
Run @mapbox/node-pre-gyp instead of node-gyp because node-argon2's
binding.gyp file relies on variables from @mapbox/node-pre-gyp.
You can omit npx @mapbox and use just node-pre-gyp if you have a global
installation of @mapbox/node-pre-gyp, otherwise prefixing npx will use
the local one in ./node_modules/.bin
How do I skip installing prebuilt binaries and manually compile from source?
You can do either of the two methods below:
- Force build from source on install.
1$ npm install argon2 --build-from-source
- Ignore
node-argon2install script and build manually.
1$ npm install argon2 --ignore-scripts 2$ npx node-gyp rebuild -C ./node_modules/argon2
I installed Node as a snap, and I can't install node-argon2.
This seems to be an issue related to snap (see #345 (comment)). Installing Node with another package manager, such as asdf or nvm, is a possible workaround.
Differences from node-argon2-ffi
The interface of both are very similar, notably, node-argon2-ffi splits the
argon2i and argon2d function set, but this module also has the argon2id option,
which node-argon2-ffi does not support. Also, while node-argon2-ffi
suggests you promisify crypto.randomBytes, node-argon2 library does that
internally.
node-argon2 is much lighter than node-argon2-ffi, at 184 KB for argon2@0.29.1 against 2.56 MB for argon2-ffi@1.2.0. Performance-wise, the libraries are equal. You can run the same benchmark suite if you are curious, but both can perform around 130 hashes/second on an Intel Core i5-4460 @ 3.2GHz with default options.
This library is implemented natively, meaning it is an extension to the node engine. Thus, half of the code is C++ bindings, the other half is Javascript functions. node-argon2-ffi uses ffi, a mechanism to call functions from one language in another, and handles the type bindings (e.g. JS Number -> C++ int).
Contributors
Code contributors
This project exists thanks to all the people who contribute. [Contribute].
Financial contributors
Become a financial contributor and help us sustain our community. [Contribute]
Individuals
Organizations
Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]
License
Work licensed under the MIT License. Please check P-H-C/phc-winner-argon2 for license over Argon2 and the reference implementation.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
15 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:184
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
SAST tool is not run on all commits -- score normalized to 6
Details
- Warn: 10 commits out of 16 are checked with a SAST tool
Reason
dependency not pinned by hash detected -- score normalized to 4
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/ci.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/clang-format.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/clang-format.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:167: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:227: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/ranisalt/node-argon2/release.yml/master?enable=pin
- Info: 0 out of 23 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 7 third-party GitHubAction dependencies pinned
- Info: 7 out of 7 npmCommand dependencies pinned
Reason
Found 5/20 approved changesets -- score normalized to 2
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:189
- Warn: no topLevel permission defined: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/clang-format.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Info: no jobLevel write permissions found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact v0.31.2 not signed: https://api.github.com/repos/ranisalt/node-argon2/releases/128004303
- Warn: release artifact v0.31.2 does not have provenance: https://api.github.com/repos/ranisalt/node-argon2/releases/128004303
Score
5.4
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More