← Home

argon2

npm Repository Homepage

An Argon2 library for Node

26
Versions
MIT
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

ranisalt

Keywords

argon2cryptoencryptionhashingpassword

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:@mapbox/node-pre-gyp AI (phantom-deps): Referenced in binding.gyp build config, not JS imports — standard pattern for native addon build tooling. ai
phantom-deps phantom-dep:opencollective-postinstall AI (phantom-deps): opencollective-postinstall is a postinstall tool, not a runtime import. Phantom-dep finding is a false positive for this usage pattern. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require loads the native .node binary via node-pre-gyp path resolution — standard pattern for native addons, not arbitrary code loading. ai
semgrep semgrep:hex-decode AI (semgrep): Hex decoding in test.js is used for hardcoded cryptographic test vectors — standard practice for a password hashing library. No malicious payload risk. ai
install-scripts install-script:postinstall AI (install-scripts): opencollective-postinstall is a standard funding prompt used by many packages; the || true ensures it never blocks install. Benign for this package. ai
publish-pattern new-deps-added AI (publish-pattern): @phc/format, node-pre-gyp, and node-addon-api are all well-known legitimate packages appropriate for a native crypto addon. ai
source-diff source-size-tripled AI (source-diff): 1KB→11KB is tiny in absolute terms; growth is explained by nan→node-addon-api migration and PHC format support. ai
provenance missing-githead AI (provenance): Publisher is the original long-standing author; gitHead absence is a benign publish-environment change for this package. ai
phantom-deps phantom-dep:node-gyp AI (phantom-deps): node-gyp is the build tool for native addons; implicit dependency pattern is expected and benign for this package. ai
install-scripts install-script:preinstall AI (install-scripts): Preinstall runs node-gyp rebuild and git submodule init/update — standard and documented build flow for this native C++ Argon2 binding. Stable across all versions. ai
phantom-deps phantom-dep:nan AI (phantom-deps): nan is a declared dependency used by the native addon build via node-gyp; not a phantom dep in any meaningful sense. ai
provenance no-provenance AI (provenance): Package predates Sigstore provenance adoption; absence is expected for packages of this age and does not indicate risk given the long trust history. ai
publish-pattern dormant-publish AI (publish-pattern): Publisher is the original author with matching GitHub repo and consistent package content; dormancy followed by legitimate maintenance activity, no takeover indicators. ai
dependencies unvetted-dep:node-gyp-build AI (dependencies): node-gyp-build is a well-known, widely-used tool for native Node.js addons; its use here is appropriate and expected. ai
phantom-deps phantom-dep:node-addon-api AI (phantom-deps): node-addon-api is used at build time via binding.gyp, not directly imported in JS — expected for native addons. ai
install-scripts install-script:install AI (install-scripts): node-pre-gyp install --fallback-to-build is the standard install pattern for native Node.js addons; stable and expected for this package. ai
phantom-deps phantom-dep:cross-env AI (phantom-deps): cross-env is used in the install script (scripts.install), not imported in JS code. Phantom dep finding is a false positive for script-only dependencies. ai
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries are the expected distribution mechanism for this native argon2 binding; consistent with node-gyp-build pattern. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decode is used to handle associatedData in Argon2 hash parameters — a legitimate cryptographic operation, not obfuscation. ai

Versions (showing 26 of 26)

Version Deps Published
0.41.1 3 / 5
0.40.3 3 / 5
0.31.1 3 / 6
0.30.3 3 / 6
0.28.5 3 / 6
0.27.0 4 / 7
0.26.0 3 / 6
0.25.1 3 / 6
0.25.0 3 / 6
0.22.0 3 / 6
0.20.1 3 / 4
0.19.2 4 / 4
0.19.0 4 / 4
0.18.2 4 / 5
0.18.1 3 / 5
0.17.3 3 / 5
0.17.2 3 / 5
0.16.0 3 / 8
0.12.0 2 / 8
0.8.0 2 / 3
0.6.0 2 / 3
0.5.1 2 / 1
0.4.2 2 / 1
0.4.0 2 / 3
0.1.2 3 / 1
0.1.1 3 / 1

v0.41.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.40.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.31.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.30.3

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.28.5

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.27.0

3 findings
HIGH Package has 'postinstall' script install-scripts

Script: opencollective-postinstall || true

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.26.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.25.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.25.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.22.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ranisalt.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.20.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.19.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.19.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.18.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.18.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.16.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.12.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.8.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

2 findings
HIGH Package has 'postinstall' script install-scripts

Script: npm run build

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.1

3 findings
HIGH Package has 'preinstall' script install-scripts

Script: git submodule update --init

HIGH Package has 'postinstall' script install-scripts

Script: npm run build

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.2

3 findings
HIGH Package has 'preinstall' script install-scripts

Script: git submodule update --init

HIGH Package has 'postinstall' script install-scripts

Script: npm run build

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: node-gyp rebuild && git submodule update --init

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.2

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: git submodule init && git submodule update

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.1

2 findings
HIGH Package has 'preinstall' script install-scripts

Script: git submodule init && git submodule update

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.