{"id":10385,"library":"bcryptjs","title":"bcrypt.js Password Hashing","description":"bcrypt.js is an optimized implementation of the bcrypt password hashing function in pure JavaScript, providing zero dependencies and full TypeScript support. Compatible with the C++ bcrypt binding, it is currently stable at version 3.0.3 and is actively maintained with releases as needed to address bugs and modernize the codebase.","status":"active","version":"3.0.3","language":"javascript","source_language":"en","source_url":"https://github.com/dcodeIO/bcrypt.js","tags":["javascript","bcrypt","password","auth","authentication","encryption","crypt","crypto","typescript"],"install":[{"cmd":"npm install bcryptjs","lang":"bash","label":"npm"},{"cmd":"yarn add bcryptjs","lang":"bash","label":"yarn"},{"cmd":"pnpm add bcryptjs","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"ESM-first by default since v3.0.0, although a UMD fallback is provided.","wrong":"const bcrypt = require('bcryptjs')","symbol":"bcrypt","correct":"import bcrypt from 'bcryptjs'"}],"quickstart":{"code":"import bcrypt from \"bcryptjs\";\n\nasync function main() {\n  const password = \"mySecretPassword123\";\n  // Auto-generate a salt with 10 rounds and hash the password\n  const hash = await bcrypt.hash(password, 10);\n  console.log(\"Hashed password:\", hash);\n\n  // Compare a password against the stored hash\n  const isMatch = await bcrypt.compare(password, hash);\n  console.log(\"Password matches:\", isMatch); // true\n\n  const notMatch = await bcrypt.compare(\"wrongPassword\", hash);\n  console.log(\"Wrong password matches:\", notMatch); // false\n}\nmain();","lang":"typescript","description":"Hashes a password with an automatically generated salt (10 rounds) and then demonstrates how to compare a password against the stored hash using the asynchronous API."},"warnings":[{"fix":"Update `require()` statements to `import bcrypt from 'bcryptjs'`.","message":"Since v3.0.0, bcrypt.js exports an ECMAScript module (ESM) by default. Projects using CommonJS `require()` will need to update to `import` syntax or configure their bundler/Node.js environment accordingly.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Ensure any systems expecting a specific bcrypt version (e.g., 2a) are compatible with 2b hashes or adjust accordingly.","message":"Version 3.0.0 changed the default hash generation to produce 2b-style hashes. While this library was not affected by the original 2a/2b bug, the output format for newly generated hashes has changed.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"Account for performance differences by potentially reducing the number of bcrypt rounds or using the C++ binding (`bcrypt`) for performance-critical Node.js applications.","message":"As a pure JavaScript implementation, `bcryptjs` is approximately 30% slower than the native C++ bcrypt binding available on Node.js. This affects the number of iterations that can be processed in a given time.","severity":"gotcha","affected_versions":"all"},{"fix":"Implement explicit password length checks in your application code, using `bcrypt.truncates(password)` if necessary, before passing to hashing functions.","message":"The maximum input password length for bcrypt.js is 72 bytes. Passwords exceeding this length are not implicitly truncated or validated by the library itself.","severity":"gotcha","affected_versions":"all"},{"fix":"Use a bundler (like Webpack, Rollup, Vite) or configure an import map in your HTML to stub out the `crypto` module.","message":"When using the ESM variant of bcrypt.js directly in a browser without a bundler, the `crypto` import may need to be stubbed out (e.g., via an import map) to prevent browser-specific errors.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-18T00:00:00.000Z","next_check":"2026-07-17T00:00:00.000Z","problems":[{"fix":"Update your import statement from `const bcrypt = require('bcryptjs')` to `import bcrypt from 'bcryptjs'`.","cause":"Attempting to use CommonJS `require()` syntax in an ES Module context (e.g., in a modern Node.js project with `\"type\": \"module\"` or a browser module).","error":"ReferenceError: require is not defined"},{"fix":"Ensure `bcrypt.hash` is called with at least two arguments: the password (`data`) and either a generated `salt` or the number of `rounds` for salt generation (e.g., `bcrypt.hash(password, 10)`).","cause":"`bcrypt.hash` was called with an insufficient number of arguments, typically missing the `salt` or `rounds` parameter.","error":"Error: data and salt arguments required by bcrypt.hash."},{"fix":"Verify that asynchronous `bcrypt` functions are called with the correct arguments to return a promise (e.g., `await bcrypt.hash(password, 10)`) or, if using callbacks, that the callback is correctly provided (e.g., `bcrypt.hash(password, 10, (err, hash) => {})`).","cause":"This usually occurs when attempting to `await` or `.then()` on an `bcrypt` asynchronous function (like `bcrypt.hash`) that returned `undefined` because it was called with an incorrect number of arguments, implicitly switching it to a callback-based API (if applicable) or failing to return a promise.","error":"TypeError: Cannot read properties of undefined (reading 'then')"}],"ecosystem":"npm"}