Skip to content

Replace passlib with pwdlib for password hashing#3239

Open
emma-sg wants to merge 2 commits intomainfrom
pwdlib
Open

Replace passlib with pwdlib for password hashing#3239
emma-sg wants to merge 2 commits intomainfrom
pwdlib

Conversation

@emma-sg
Copy link
Copy Markdown
Member

@emma-sg emma-sg commented Mar 30, 2026
edited
Loading

Closes #3179
Resolves underlying issue behind #3162 and #3163

  • migrate from passlib context to pwdlib PasswordHash
  • replace pwd.genword() with secrets-based generator
  • update dependencies to use pwdlib with argon2+bcrypt support
  • preferentially use argon2, with bcrypt fallback support (updates hash on next login)

Tested locally with multiple accounts.

Testing instructions:

  1. Run cluster off of main, set up multiple accounts if desired
  2. Check local mongo instance, verify that all accounts' hashes start with $2b$ (bcrypt)
  3. Switch to this branch, build the backend, and update the cluster
  4. Log in as any desired accounts, and ensure that the login works as expected
  5. Verify that the hashes for those accounts are updated to start with $argon2id$
  6. While running on this branch, create a new user. Create a password for this user, and verify that the new user's hash also starts with $argon2id$.

@emma-sg
replace passlib with pwdlib for password hashing
440dc65 
- migrate from passlib context to pwdlib PasswordHash
- replace pwd.genword() with secrets-based generator
- update dependencies to use pwdlib with argon2+bcrypt support
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 30, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL)

Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4

Patched version: 4.5.4

From: ?npm/fast-xml-parser@4.5.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@emma-sg emma-sg requested a review from ikreymer March 30, 2026 19:31
@emma-sg
allow setuptools to update beyond v82
ea9b6a4 
was previously blocked by passlib (see #3162 and #3163)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikreymer ikreymer Awaiting requested review from ikreymer

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Task]: Migrate off passlib to pwdlib

1 participant

@emma-sg