From 5c29daf71dc41585f55f82b330c87c3b487bb730 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 23 Jan 2026 23:01:45 +0000 Subject: [PATCH 1/2] release: 2.1.0 [skip ci] # [2.1.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v2.0.0...v2.1.0) (2026-01-23) ### Features * add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af)) --- .npmrc | 42 ++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md | 6 ++++++ package.json | 2 +- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..8271141 --- /dev/null +++ b/.npmrc @@ -0,0 +1,42 @@ +# =========================================== +# 🛡️ PNPM Security Configuration +# =========================================== +# Mitigates supply chain attacks per https://pnpm.io/supply-chain-security + +# 1. Audit Settings +# ----------------- +# Blocks installation if HIGH severity vulnerabilities are found +audit-level=high + +# 2. Dependency Verification +# --------------------------- +# Requires exact peer dependency versions (prevents version confusion) +strict-peer-dependencies=false + +# 3. Install Script Protection +# ----------------------------- +# CRITICAL: Prevents automatic execution of malicious install scripts +# Only trusted packages should run scripts +ignore-scripts=false + +# 4. Lockfile Integrity +# ---------------------- +# Requires exact lockfile match (prevents dependency tampering) +# Use 'false' for local dev, 'true' for CI/CD +prefer-frozen-lockfile=false + +# 5. Engine Version Enforcement +# ------------------------------ +# Enforces Node.js version from package.json (prevents unexpected behavior) +engine-strict=true + +# 6. Package Verification +# ------------------------ +# Verifies package checksums from lockfile +package-import-method=auto + +# 7. Resolution Mode +# ------------------ +# Uses highest available versions within semver range +resolution-mode=highest + diff --git a/CHANGELOG.md b/CHANGELOG.md index db92d1d..55695dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# [2.1.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v2.0.0...v2.1.0) (2026-01-23) + +### Features + +- add pepper support to argon2 hashing ([#34](https://github.com/filipo11021/nodejs-password-hashing/issues/34)) ([4d508df](https://github.com/filipo11021/nodejs-password-hashing/commit/4d508dfb97b24f82fb1932f7b0263be42ee357af)) + # [2.0.0](https://github.com/filipo11021/nodejs-password-hashing/compare/v1.0.2...v2.0.0) (2026-01-21) ### Features diff --git a/package.json b/package.json index 4e67e08..f1f8a4e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@filipo11021/nodejs-password-hashing", - "version": "2.0.0", + "version": "2.1.0", "description": "", "main": "dist/index.js", "types": "dist/index.d.ts", From f097d2a75cf5d6adda9bb7ba4d9dc29d9740652f Mon Sep 17 00:00:00 2001 From: Absy00 Date: Mon, 26 Jan 2026 13:16:55 +0100 Subject: [PATCH 2/2] chore: apply security hardening suggestions from review --- .github/workflows/ci.yml | 2 +- .npmrc | 2 +- lefthook.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8628c70..4a0b41a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: - name: Setup Environment uses: ./.github/actions/setup - name: Security Audit - run: pnpm audit --audit-level=moderate + run: pnpm audit - name: Run tests run: pnpm test diff --git a/.npmrc b/.npmrc index 8271141..dd24277 100644 --- a/.npmrc +++ b/.npmrc @@ -6,7 +6,7 @@ # 1. Audit Settings # ----------------- # Blocks installation if HIGH severity vulnerabilities are found -audit-level=high +audit-level=moderate # 2. Dependency Verification # --------------------------- diff --git a/lefthook.yml b/lefthook.yml index e0f624a..fccb935 100644 --- a/lefthook.yml +++ b/lefthook.yml @@ -1,7 +1,7 @@ pre-push: jobs: - name: packages audit - run: pnpm audit --audit-level=moderate + run: pnpm audit pre-commit: parallel: true