Skip to content
This repository was archived by the owner on May 14, 2026. It is now read-only.

verdaccio-htpasswd@10.4.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 14 Jun 16:35
· 214 commits to main since this release
verdaccio-htpasswd@10.4.0
2a3c5ce
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Minor Changes

  • 49ca26d: feat: allow other password hashing algorithms

    copied from v6 plugins by @greshilov verdaccio/verdaccio#2072

    To avoid a breaking change, the default algorithm is crypt.

    Context

    The current implementation of the htpasswd module supports multiple hash formats on verify, but only crypt on sign in.
    crypt is an insecure old format, so to improve the security of the new verdaccio release we introduce the support of multiple hash algorithms on sign in step.

    New hashing algorithms

    The new possible hash algorithms to use are bcrypt, md5, sha1. You can read more about them here.

    Two new properties are added to auth section in the configuration file:

    • algorithm to choose the way you want to hash passwords.
    • rounds is used to determine bcrypt complexity. So one can improve security according to increasing computational power.

    Example of the new auth config file section:

    auth:
htpasswd:
  file: ./htpasswd
  max_users: 1000
  # Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
  algorithm: bcrypt
  # Rounds number for "bcrypt", will be ignored for other algorithms.
  rounds: 10

Contributors

greshilov
Assets 2
Loading