Weekly Update, February 18th, 2025 –– Please test 3.2-beta.1

grubba · February 18, 2025, 2:24pm

A few days ago we announced that: Meteor.js v3.1.2 is out! 🎉

Since then we have started working on 3.2 and currently, we have a beta version for you to try:

meteor update --release 3.2-beta.1

This beta includes:

github.com/meteor/meteor

Feature argon2 password encryption

meteor:devel ← vparpoil:feature/argon2-password-encryption

opened 05:29PM - 17 Jan 25 UTC

vparpoil

+766 -303

Following this discussion : https://github.com/meteor/meteor/discussions/13529 I… worked on a proposal to implement `argon2` as a drop-in replacement for `bcrypt` to securely store user password. The `checkPasswordAsync` function has been updated to enable a seamless transition from `bcrypt` to `argon2`. A test has been added to verify this transition. The `accounts-password` package still includes `bcrypt` as a dependency to support legacy hashed passwords

Changes we would love the community to give it a shot at testing.

Nacho is also working on a 2.16 patch to help out with the Error building cordova project that we are having on the 2.x versions.

Next releases:

Meteor 3.2.0 (late-February/early March 2025)

rjdavid · February 19, 2025, 12:11am

It will help a lot for a migration guide, not only technically, but also how it should happen in operations for the removal of bcrypt.

Not all users will be migrated through a login and therefore has to be forced to reset passwords before removing bcrypt

minhna · February 19, 2025, 2:05am

As of my understanding, we will need that migration guide, but not immediately. It will be critical when bcrypt got removed.

nachocodoner · February 20, 2025, 2:48pm

We decided to roll out this feature in multiple phases.

The first phase is planned for 3.2 and won’t introduce any breaking changes. A guide on optionally enabling Argon2 is available in the docs. Feel free to share any feedback with the author there.

In the second phase, after broader community adoption, we plan to remove bcrypt. Guidance will be provided, considering insights from early adopters. A future version will introduce this as a breaking change with clear warnings and necessary actions.

rjdavid · February 21, 2025, 10:23am

@nachocodoner, which one is the case here:

We are sure that bcrypt will be removed in the future
Removal of bcrypt depends on the feedback about the use of argon2

nachocodoner · February 25, 2025, 1:50pm

Removal of bcrypt depends on the feedback about the use of argon2

The second option prioritizes safety for everyone. We need people to dive into the implementation and share feedback to handle this major breaking change in the future, affecting both code and data in a widely used part like auth system of any Meteor app.

For now, we expect developers to move there optionally, share their experiences, and provide feedback to the original author, as seen in the PR. Performance implications matter too, I’d like to see how login behaves in comparison, as it could be a good meteor/performance case to measure. That’s why it’s important for users to migrate when possible and help improve stability and experience, before any final call on its mandatory adoption.