Skip to content

Bump bcrypt and argon2 in the accounts-password package#14407

Open
julio-rocketchat wants to merge 2 commits into
meteor:develfrom
julio-rocketchat:bump-bcrypt-in-accounts-password
Open

Bump bcrypt and argon2 in the accounts-password package#14407
julio-rocketchat wants to merge 2 commits into
meteor:develfrom
julio-rocketchat:bump-bcrypt-in-accounts-password

Conversation

@julio-rocketchat

@julio-rocketchat julio-rocketchat commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The tar package version 6.1.11 has 3 high-severity CVEs - as seen here: https://security.snyk.io/package/npm/tar/6.1.11. This package is imported as a transitive dependency of bcrypt inside the accounts-password package. This PR bumps bcrypt in order to fix the CVEs related to tar. Also updated argon2 to version 0.44.0 (the latest at this moment)

Summary by CodeRabbit

  • Chores
    • Updated accounts-password package to version 3.2.4
    • Upgraded bcrypt dependency to version 6.0.0

@netlify

netlify Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for v3-migration-docs canceled.

Name Link
🔨 Latest commit e89a0ed
🔍 Latest deploy log https://app.netlify.com/projects/v3-migration-docs/deploys/6a01cc0390ba39000813712b

@netlify

netlify Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for v3-meteor-api-docs canceled.

Name Link
🔨 Latest commit e89a0ed
🔍 Latest deploy log https://app.netlify.com/projects/v3-meteor-api-docs/deploys/6a01cc03ba83430007453198

@coderabbitai

coderabbitai Bot commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The accounts-password package version is incremented from 3.2.3 to 3.2.4, accompanied by an upgrade of the bcrypt npm dependency from 5.0.1 to 6.0.0. No other package declarations or wiring changes are present.

Changes

accounts-password Package Manifest

Layer / File(s) Summary
Package Version
packages/accounts-password/package.js		 Package version incremented from 3.2.3 to 3.2.4.
Dependency Versions
packages/accounts-password/package.js		 bcrypt npm dependency upgraded from 5.0.1 to 6.0.0 in Npm.depends.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions bumping both 'bcrypt' and 'argon2', but the changeset only shows bcrypt being updated from 5.0.1 to 6.0.0; argon2 changes are not present in the provided summary. Update the PR title to accurately reflect only the bcrypt bump, or verify that argon2 was also updated and ensure that change appears in the changeset.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@StorytellerCZ

StorytellerCZ commented May 10, 2026

Copy link
Copy Markdown
Collaborator

Might be a good idea to update argon2 while at it.

https://www.npmjs.com/package/argon2

@julio-rocketchat julio-rocketchat changed the title Bump bcrypt in the accounts-password package Bump bcrypt in the accounts-password and argon2 packages May 11, 2026
@julio-rocketchat julio-rocketchat changed the title Bump bcrypt in the accounts-password and argon2 packages Bump bcrypt and argon2 in the accounts-password package May 11, 2026
@julio-rocketchat

julio-rocketchat commented May 11, 2026

Copy link
Copy Markdown
Contributor Author

Might be a good idea to update argon2 while at it.

https://www.npmjs.com/package/argon2

Done, @StorytellerCZ. Just committed the update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StorytellerCZ StorytellerCZ StorytellerCZ approved these changes

@henriquealbert henriquealbert Awaiting requested review from henriquealbert henriquealbert is a code owner

@italojs italojs Awaiting requested review from italojs italojs is a code owner

@fredmaiaarantes fredmaiaarantes Awaiting requested review from fredmaiaarantes fredmaiaarantes is a code owner

@nachocodoner nachocodoner Awaiting requested review from nachocodoner nachocodoner is a code owner

@Grubba27 Grubba27 Awaiting requested review from Grubba27 Grubba27 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Project:Accounts:Password

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julio-rocketchat @StorytellerCZ