Added parallelism factor to argon2

[franciscop]

What does this PR do?

Add the parallelism: number option into Bun's password hash. This is already supported by the underlying library and was hardcoded to 1, so just exposed this option to the JS/TS API.

Background: I'm trying to make import { argon2 } from 'node:crypto'; work, but Bun's Bun.password.hash() doesn't support all of the existing parameters yet, so it's not easy to make this compatibility layer. So I'm trying to add the options supported from Node.js' crypto into Bun's password.hash() one by one, while also getting familiar with the codebase. This seemed like the ideal parameter to start, since the code was basically there, just with a hardcoded 1 instead of receiving the parameter.

How did you verify your code works?

Added tests following the other parameter's examples:

• Added test for a negative number.
• Added test for a different factor (2) and checked that it passes the correct parallelism factor.

Feedback request

This is my first PR in Bun and with Zig, please let me know if you'd prefer the parameter to be called parallelismFactor or parallelismDegree instead of just parallelism, and/or if I need to change anything else along with the code+test changes here (like docs).

Relevant ticket

Partially fixes ticket #9074.

[coderabbitai]

Walkthrough

Adds an optional Argon2 parallelism parameter across typings, Zig implementation, and tests: declaration updated, Zig parses/validates/stores parallelism (1–65535) and emits .p = parallelism, and tests cover validation and hash p= output.

Changes

Cohort / File(s)	Summary
Type definitions packages/bun-types/bun.d.ts	Added optional parallelism?: number to Argon2Algorithm in Bun.Password.
Zig implementation src/bun.js/api/crypto/PasswordObject.zig	Added parallelism: u24 to Argon2Params (default from interactive_2id.p); updated toParams() to set .p = this.parallelism; extended PasswordObject.Algorithm.Value.fromJS to parse parallelism for Argon2, coerce to integer, and validate 1 <= parallelism <= 65535.
Tests test/js/bun/util/password.test.ts	Added/updated tests: reject memoryCost/timeCost of 0; reject parallelism negative, zero, and 65536; assert generated Argon2id hash reflects p=<value> (e.g., p=2).

Pre-merge checks

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a parallelism factor to Argon2 password hashing, which is the primary objective of the PR.
Description check	✅ Passed	The description covers both required sections with substantive detail: it explains what the PR does (exposing the parallelism option) and how it was verified (added tests for negative and alternate values).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/bun.js/api/crypto/PasswordObject.zig (1)

220-224: Update stale comment: we now expose parallelism.

The note says “we don't expose this option”; that’s outdated post‑change.

Apply this diff:

-                // warning: argon2's code may spin up threads if paralellism is set to > 0
-                // we don't expose this option
-                // but since it parses from phc format, it's possible that it will be set
-                // eventually we should do something that about that.
+                // Note: argon2 may spin up threads when parallelism > 1.
+                // This option is now user-configurable and also parsed from PHC.
+                // Be mindful of oversubscription in highly concurrent workloads.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f30e395 and 80a0aa9.

📒 Files selected for processing (3)

• packages/bun-types/bun.d.ts (1 hunks)
• src/bun.js/api/crypto/PasswordObject.zig (2 hunks)
• test/js/bun/util/password.test.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (8)

test/**

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place all tests under the test/ directory

Files:

• test/js/bun/util/password.test.ts

test/js/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place JavaScript and TypeScript tests under test/js/

Files:

• test/js/bun/util/password.test.ts

test/js/bun/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place Bun API tests under test/js/bun/, separated by category (e.g., test/js/bun/glob/)

Files:

• test/js/bun/util/password.test.ts

test/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

test/**/*.{js,ts}: Write tests in JavaScript or TypeScript using Bun’s Jest-style APIs (test, describe, expect) and run with bun test
Prefer data-driven tests (e.g., test.each) to reduce boilerplate
Use shared utilities from test/harness.ts where applicable

Files:

• test/js/bun/util/password.test.ts

**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/javascriptcore-class.mdc)

**/*.zig: Declare the extern C symbol in Zig and export a Zig-friendly alias for use
Wrap the Bun____toJS extern in a Zig method that takes a JSGlobalObject and returns JSC.JSValue

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/{**/js_*.zig,bun.js/api/**/*.zig}

📄 CodeRabbit inference engine (.cursor/rules/registering-bun-modules.mdc)

Use bun.JSError!JSValue for proper error propagation in JS-exposed Zig functions

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/bun.js/**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/zig-javascriptcore-classes.mdc)

src/bun.js/**/*.zig: In Zig binding structs, expose generated bindings via pub const js = JSC.Codegen.JS and re-export toJS/fromJS/fromJSDirect
Constructors and prototype methods should return bun.JSError!JSC.JSValue to integrate Zig error handling with JS exceptions
Use parameter name globalObject (not ctx) and accept (*JSC.JSGlobalObject, *JSC.CallFrame) in binding methods/constructors
Implement getters as get(this, globalObject) returning JSC.JSValue and matching the .classes.ts interface
Provide deinit() for resource cleanup and finalize() that calls deinit(); use bun.destroy(this) or appropriate destroy pattern
Access JS call data via CallFrame (argument(i), argumentCount(), thisValue()) and throw errors with globalObject.throw(...)
For properties marked cache: true, use the generated Zig accessors (NameSetCached/GetCached) to work with GC-owned values
In finalize() for objects holding JS references, release them using .deref() before destroy

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/building-bun.mdc)

When adding debug logs in Zig, create a scoped logger and log via Bun APIs: const log = bun.Output.scoped(.${SCOPE}, .hidden); then log("...", .{})

src/**/*.zig: Use Zig private fields with the # prefix for encapsulation (e.g., struct { #foo: u32 })
Prefer Decl literals for initialization (e.g., const decl: Decl = .{ .binding = 0, .value = 0 };)
Place @import statements at the bottom of the file (formatter will handle ordering)

Files:

• src/bun.js/api/crypto/PasswordObject.zig

🧠 Learnings (2)

📚 Learning: 2025-10-19T02:52:37.412Z

Learnt from: theshadow27
Repo: oven-sh/bun PR: 23798
File: packages/bun-otel/tsconfig.json:1-15
Timestamp: 2025-10-19T02:52:37.412Z
Learning: In the Bun repository, packages under packages/ (e.g., bun-otel) can follow a TypeScript-first pattern where package.json exports point directly to .ts files (not compiled .js files). Bun natively runs TypeScript, so consumers import .ts sources directly and receive full type information without needing compiled .d.ts declaration files. For such packages, adding "declaration": true or "outDir" in tsconfig.json is unnecessary and would break the export structure.
<!-- [remove_learning]
ceedde95-980e-4898-a2c6-40ff73913664

Applied to files:

• packages/bun-types/bun.d.ts

📚 Learning: 2025-10-08T13:48:02.430Z

Learnt from: Jarred-Sumner
Repo: oven-sh/bun PR: 23373
File: test/js/bun/tarball/extract.test.ts:107-111
Timestamp: 2025-10-08T13:48:02.430Z
Learning: In Bun's test runner, use `expect(async () => { await ... }).toThrow()` to assert async rejections. Unlike Jest/Vitest, Bun does not require `await expect(...).rejects.toThrow()` - the async function wrapper with `.toThrow()` is the correct pattern for async error assertions in Bun tests.

Applied to files:

• test/js/bun/util/password.test.ts

🔇 Additional comments (3)

test/js/bun/util/password.test.ts (2)

247-254: Good: verifies parallelism is forwarded into PHC string (p=2).

This checks the wire format and behavior end-to-end. LGTM.

---

55-61: Harden the assertion and cover zero case.

Use the async wrapper form to reliably assert both sync/async paths, and add parallelism: 0 (invalid) like other cost tests.

Apply this diff:

-        expect(() =>
-          hash(placeholder, {
-            algorithm: "argon2id",
-            parallelism: -1,
-          }),
-        ).toThrow();
+        expect(async () => {
+          await hash(placeholder, { algorithm: "argon2id", parallelism: -1 });
+        }).toThrow();
+        expect(async () => {
+          await hash(placeholder, { algorithm: "argon2id", parallelism: 0 });
+        }).toThrow();

⛔ Skipped due to learnings

Learnt from: markovejnovic
Repo: oven-sh/bun PR: 22568
File: test/js/valkey/valkey.test.ts:268-276
Timestamp: 2025-09-20T00:57:56.685Z
Learning: For test/js/valkey/valkey.test.ts, do not comment on synchronous throw assertions for async Redis methods like ctx.redis.set() - the maintainer has explicitly requested to stop looking at this error pattern.

Learnt from: CR
Repo: oven-sh/bun PR: 0
File: src/bun.js/bindings/v8/CLAUDE.md:0-0
Timestamp: 2025-09-08T00:41:12.052Z
Learning: Follow existing patterns in similar V8 classes, add comprehensive Node.js parity tests, update all symbol files, and document any special behavior

src/bun.js/api/crypto/PasswordObject.zig (1)

145-151: LGTM: plumbs parallelism through defaults and to Params.

Defaults to PHC interactive profile and forwards to .p. Matches other fields.

Consider capping parallelism to CPU count to avoid oversubscription (optional policy).

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e5a1a51 and fc49006.

📒 Files selected for processing (2)

• src/bun.js/api/crypto/PasswordObject.zig (2 hunks)
• test/js/bun/util/password.test.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (8)

test/**

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place all tests under the test/ directory

Files:

• test/js/bun/util/password.test.ts

test/js/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place JavaScript and TypeScript tests under test/js/

Files:

• test/js/bun/util/password.test.ts

test/js/bun/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

Place Bun API tests under test/js/bun/, separated by category (e.g., test/js/bun/glob/)

Files:

• test/js/bun/util/password.test.ts

test/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/writing-tests.mdc)

test/**/*.{js,ts}: Write tests in JavaScript or TypeScript using Bun’s Jest-style APIs (test, describe, expect) and run with bun test
Prefer data-driven tests (e.g., test.each) to reduce boilerplate
Use shared utilities from test/harness.ts where applicable

Files:

• test/js/bun/util/password.test.ts

**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/javascriptcore-class.mdc)

**/*.zig: Declare the extern C symbol in Zig and export a Zig-friendly alias for use
Wrap the Bun____toJS extern in a Zig method that takes a JSGlobalObject and returns JSC.JSValue

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/{**/js_*.zig,bun.js/api/**/*.zig}

📄 CodeRabbit inference engine (.cursor/rules/registering-bun-modules.mdc)

Use bun.JSError!JSValue for proper error propagation in JS-exposed Zig functions

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/bun.js/**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/zig-javascriptcore-classes.mdc)

src/bun.js/**/*.zig: In Zig binding structs, expose generated bindings via pub const js = JSC.Codegen.JS and re-export toJS/fromJS/fromJSDirect
Constructors and prototype methods should return bun.JSError!JSC.JSValue to integrate Zig error handling with JS exceptions
Use parameter name globalObject (not ctx) and accept (*JSC.JSGlobalObject, *JSC.CallFrame) in binding methods/constructors
Implement getters as get(this, globalObject) returning JSC.JSValue and matching the .classes.ts interface
Provide deinit() for resource cleanup and finalize() that calls deinit(); use bun.destroy(this) or appropriate destroy pattern
Access JS call data via CallFrame (argument(i), argumentCount(), thisValue()) and throw errors with globalObject.throw(...)
For properties marked cache: true, use the generated Zig accessors (NameSetCached/GetCached) to work with GC-owned values
In finalize() for objects holding JS references, release them using .deref() before destroy

Files:

• src/bun.js/api/crypto/PasswordObject.zig

src/**/*.zig

📄 CodeRabbit inference engine (.cursor/rules/building-bun.mdc)

When adding debug logs in Zig, create a scoped logger and log via Bun APIs: const log = bun.Output.scoped(.${SCOPE}, .hidden); then log("...", .{})

src/**/*.zig: Use Zig private fields with the # prefix for encapsulation (e.g., struct { #foo: u32 })
Prefer Decl literals for initialization (e.g., const decl: Decl = .{ .binding = 0, .value = 0 };)
Place @import statements at the bottom of the file (formatter will handle ordering)

Files:

• src/bun.js/api/crypto/PasswordObject.zig

🧠 Learnings (7)

📚 Learning: 2025-09-08T00:41:12.052Z

Learnt from: CR
Repo: oven-sh/bun PR: 0
File: src/bun.js/bindings/v8/CLAUDE.md:0-0
Timestamp: 2025-09-08T00:41:12.052Z
Learning: Applies to src/bun.js/bindings/v8/test/v8/v8.test.ts : Add a corresponding test case in test/v8/v8.test.ts that invokes checkSameOutput with the new function

Applied to files:

• test/js/bun/util/password.test.ts

📚 Learning: 2025-10-08T13:48:02.430Z

Learnt from: Jarred-Sumner
Repo: oven-sh/bun PR: 23373
File: test/js/bun/tarball/extract.test.ts:107-111
Timestamp: 2025-10-08T13:48:02.430Z
Learning: In Bun's test runner, use `expect(async () => { await ... }).toThrow()` to assert async rejections. Unlike Jest/Vitest, Bun does not require `await expect(...).rejects.toThrow()` - the async function wrapper with `.toThrow()` is the correct pattern for async error assertions in Bun tests.

Applied to files:

• test/js/bun/util/password.test.ts

📚 Learning: 2025-10-24T10:43:09.398Z

Learnt from: fmguerreiro
Repo: oven-sh/bun PR: 23774
File: src/install/PackageManager/updatePackageJSONAndInstall.zig:548-548
Timestamp: 2025-10-24T10:43:09.398Z
Learning: In Bun's Zig codebase, the `as(usize, intCast(...))` cast pattern triggers a Zig compiler bug that causes compilation to hang indefinitely when used in complex control flow contexts (loops + short-circuit operators + optional unwrapping). Avoid this pattern and use simpler alternatives like just `intCast(...)` if type casting is necessary.

Applied to files:

• src/bun.js/api/crypto/PasswordObject.zig

📚 Learning: 2025-10-18T20:59:45.579Z

Learnt from: theshadow27
Repo: oven-sh/bun PR: 23798
File: src/bun.js/telemetry.zig:458-475
Timestamp: 2025-10-18T20:59:45.579Z
Learning: In src/bun.js/telemetry.zig, the RequestId (u64) to JavaScript number (f64) conversion in jsRequestId() is intentionally allowed to lose precision beyond 2^53-1. This is acceptable because: (1) at 1M requests/sec it takes ~285 years to overflow, (2) the counter resets per-process, and (3) these are observability IDs, not critical distributed IDs. Precision loss is an acceptable trade-off for this use case.

Applied to files:

• src/bun.js/api/crypto/PasswordObject.zig

📚 Learning: 2025-09-04T02:04:43.094Z

Learnt from: Jarred-Sumner
Repo: oven-sh/bun PR: 22278
File: src/ast/E.zig:980-1003
Timestamp: 2025-09-04T02:04:43.094Z
Learning: In Bun's Zig codebase, `as(i32, u8_or_u16_value)` is sufficient for casting u8/u16 to i32 in comparison operations. `intCast` is not required in this context, and the current casting approach compiles successfully.

Applied to files:

• src/bun.js/api/crypto/PasswordObject.zig

📚 Learning: 2025-09-07T14:00:36.526Z

Learnt from: RiskyMH
Repo: oven-sh/bun PR: 22258
File: src/bun.js/test/jest.zig:63-86
Timestamp: 2025-09-07T14:00:36.526Z
Learning: In Bun's Zig codebase, the established pattern for HashMap hash functions is to truncate hash values to u32, even when the underlying hash computation produces u64. This is seen throughout the codebase, such as in src/css/rules/rules.zig where u64 hashes are stored but truncated to u32 in HashMap contexts. When implementing HashContext for HashMapUnmanaged, the hash function should return u32 to match this pattern.

Applied to files:

• src/bun.js/api/crypto/PasswordObject.zig

📚 Learning: 2025-10-26T04:50:17.892Z

Learnt from: Jarred-Sumner
Repo: oven-sh/bun PR: 24086
File: src/bun.js/api/server.zig:2534-2535
Timestamp: 2025-10-26T04:50:17.892Z
Learning: In src/bun.js/api/server.zig, u32 is acceptable for route indices and websocket_context_index fields, as the practical limit of 4 billion contexts will never be reached.

Applied to files:

• src/bun.js/api/crypto/PasswordObject.zig

🔇 Additional comments (4)

test/js/bun/util/password.test.ts (2)

55-95: LGTM! Comprehensive parameter validation tests.

The test coverage for the new parallelism parameter is thorough and follows the established pattern for other Argon2 parameters. Testing the boundaries (negative, zero, and just above the maximum) ensures the validation logic works correctly.

---

275-281: LGTM! Correctly verifies parallelism parameter is forwarded.

The update to the slow test path properly includes parallelism: 2 in the options and verifies that the resulting hash string contains p=2, confirming the parameter is correctly passed through to the Argon2 implementation.

src/bun.js/api/crypto/PasswordObject.zig (2)

150-150: LGTM! Appropriate field type and default.

Using u24 for the parallelism field is appropriate and the default from pwhash.argon2.Params.interactive_2id.p ensures compatibility with the underlying library's recommended values.

---

156-156: LGTM! Correctly uses the configured parallelism value.

This change properly replaces the previous hardcoded parallelism value with the configured field, allowing the parameter to be customized as intended.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fc49006 and b7e195b.

📒 Files selected for processing (1)

• packages/bun-types/bun.d.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: franciscop
Repo: oven-sh/bun PR: 24514
File: src/bun.js/api/crypto/PasswordObject.zig:86-101
Timestamp: 2025-11-10T00:57:09.156Z
Learning: In Bun's Zig codebase (PasswordObject.zig), when validating the parallelism parameter for Argon2, the upper limit is set to 65535 (2^16 - 1) rather than using `std.math.maxInt(u24)` because the latter triggers Zig's truncation limit checks. The value 65535 is a practical upper bound that avoids compiler issues while being sufficient for thread parallelism use cases.

📚 Learning: 2025-11-10T00:57:09.156Z

Learnt from: franciscop
Repo: oven-sh/bun PR: 24514
File: src/bun.js/api/crypto/PasswordObject.zig:86-101
Timestamp: 2025-11-10T00:57:09.156Z
Learning: In Bun's Zig codebase (PasswordObject.zig), when validating the parallelism parameter for Argon2, the upper limit is set to 65535 (2^16 - 1) rather than using `std.math.maxInt(u24)` because the latter triggers Zig's truncation limit checks. The value 65535 is a practical upper bound that avoids compiler issues while being sufficient for thread parallelism use cases.

Applied to files:

• packages/bun-types/bun.d.ts