[pre-commit.ci] pre-commit autoupdate (#228)

updates:
- [github.com/astral-sh/ruff-pre-commit: v0.15.9 → v0.15.12](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.9...v0.15.12)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

.git_archival.txt

@@ -0,0 +1,3 @@
+node: $Format:%H$
+node-date: $Format:%cI$
+describe-name: $Format:%(describe:tags=true,match=*[0-9]*)$

.github/CODE_OF_CONDUCT.md

@@ -1,133 +1,16 @@
+# Code of Conduct
 
-# Contributor Covenant Code of Conduct
+While not being a [Python Software Foundation](https://www.python.org/psf-landing/) project, everyone interacting in this project is expected to follow the [PSF Code of Conduct](https://policies.python.org/python.org/code-of-conduct/).
 
-## Our Pledge
+In general, this means that everyone is expected to be **open**, **considerate**, and **respectful** of others no matter what their position is within the project.
 
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-<mailto:hs@ox.cx>.
-All complaints will be reviewed and investigated promptly and fairly.
+We take Code of Conduct violations seriously, and will act to ensure our spaces are welcoming, inclusive, and professional environments to communicate in.
 
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
+If you need to raise a Code of Conduct report, you may do so privately by email to [Hynek Schlawack](mailto:hs@ox.cx).
 
-## Enforcement Guidelines
+Reports will be treated confidentially.
 
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+Alternately you can make a [report to the Python Software Foundation](https://policies.python.org/python.org/code-of-conduct/Procedures-for-Reporting-Incidents/).

.github/CONTRIBUTING.md

@@ -25,53 +25,47 @@ But don't be afraid to open half-finished PRs and ask questions if something is
 - Don’t break backwards-compatibility.
 
 
-## Local Development Environment
+## Local development environment
 
-You can (and should) run our test suite using [*tox*].
-However, you’ll probably want a more traditional environment as well.
+First, **fork** the repository on GitHub and **clone** it using one of the alternatives that you can copy-paste by pressing the big green button labeled `<> Code`.
 
-First, create a [virtual environment](https://virtualenv.pypa.io/) so you don't break your system-wide Python installation.
-We recommend using the Python version from the `.python-version-default` file in project's root directory.
+You can (and should) run our test suite using [*tox*](https://tox.wiki/).
+However, you'll probably want a more traditional environment as well.
 
-If you're using [*direnv*](https://direnv.net), you can automate the creation of a virtual environment with the correct Python version by adding the following `.envrc` to the project root after you've cloned it to your computer:
+We recommend using the Python version from the `.python-version-default` file in the project's root directory, because that's the one that is used in the CI by default, too.
+
+If you're using [*direnv*](https://direnv.net), you can automate the creation of the project virtual environment with the correct Python version by adding the following `.envrc` to the project root:
 
 ```bash
 layout python python$(cat .python-version-default)
 ```
 
-If you're using tools that understand `.python-version` files like [*pyenv*](https://github.com/pyenv/pyenv) does, you can make it a link to the `.python-version-default` file.
+or, if you like [*uv*](https://github.com/astral-sh/uv):
 
----
-
-Next, fork the repository on GitHub and get an up-to-date checkout:
-
-```console
-$ git clone git@github.com:<your-username>/argon2-cffi.git
+```bash
+test -d .venv || uv venv --python python$(cat .python-version-default)
+. .venv/bin/activate
 ```
 
-or if you prefer to use *Git* via `https`:
+> [!WARNING]
+> - **Before** you start working on a new pull request, use the "*Sync fork*" button in GitHub's web UI to ensure your fork is up to date.
+> - **Always create a new branch off `main` for each new pull request.**
+>   Yes, you can work on `main` in your fork and submit pull requests.
+>   But this will *inevitably* lead to you not being able to synchronize your fork with upstream and having to start over.
+
+Change into the newly created directory and after activating a virtual environment, install an editable version of this project along with its tests requirements:
 
 ```console
-$ git clone https://github.com/<your-username>/argon2-cffi.git
+$ pip install -e . --group dev  # or `uv pip install -e . --group dev`
 ```
 
-Change into the newly created directory and **after activating your virtual environment** install an editable version of *argon2-cffi* along with its tests and docs requirements:
+Now you can run the test suite:
 
 ```console
-$ cd argon2-cffi
-$ python -m pip install --upgrade pip wheel  # PLEASE don't skip this step
-$ python -m pip install -e '.[dev]'
+$ python -Im pytest
 ```
 
-At this point,
-
-```console
-$ python -m pytest
-```
-
-should work and pass.
-
-For documentation, you can use:
+When working on the documentation, use:
 
 ```console
 $ tox run -e docs-watch
@@ -106,20 +100,27 @@ But it's way more comfortable to run it locally and *git* catching avoidable err
 ## Code
 
 - Obey [PEP 8](https://www.python.org/dev/peps/pep-0008/) and [PEP 257](https://www.python.org/dev/peps/pep-0257/).
-  We use the `"""`-on-separate-lines style for docstrings:
+  We use the `"""`-on-separate-lines style for docstrings and [Napoleon](https://www.sphinx-doc.org/en/master/usage/extensions/napoleon.html) for parsing them:
 
   ```python
-  def func(x):
+  def func(x: str, y: bool) -> int:
       """
       Do something.
 
-      :param str x: A very important parameter.
+      Args:
+          x: A very important parameter.
 
-      :rtype: str
+          y:
+              Another important parameter whose description is too long for one
+              line, therefore it starts on the next line.
+
+      Returns:
+          Something!
       """
   ```
 - If you add or change public APIs, tag the docstring using `..  versionadded:: 16.0.0 WHAT` or `..  versionchanged:: 16.2.0 WHAT`.
-- We use [*isort*](https://github.com/PyCQA/isort) to sort our imports, and we use [*Black*](https://github.com/psf/black) with line length of 79 characters to format our code.
+
+- We use [Ruff](https://ruff.rs/) to sort our imports and format our code with a line length of 79 characters.
   As long as you run our full [*tox*] suite before committing, or install our [*pre-commit*] hooks (ideally you'll do both – see [*Local Development Environment*](#local-development-environment) above), you won't have to spend any time on formatting your code at all.
   If you don't, [CI] will catch it for you – but that seems like a waste of your time!
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,33 @@
+# Summary
+
+<!-- Please tell us what your pull request is about here. -->
+
+
+# Pull Request Check List
+
+<!--
+This is just a friendly reminder about the most common mistakes.
+Please make sure that you tick all boxes.
+But please read our [contribution guide](https://github.com/hynek/argon2-cffi/blob/main/.github/CONTRIBUTING.md) at least once; it will save you unnecessary review cycles!
+
+If an item doesn't apply to your pull request, **check it anyway** to make it apparent that there's nothing left to do.
+-->
+
+- [ ] Do **not** open pull requests from your `main` branch – **use a separate branch**!
+  - There's a ton of footguns waiting if you don't heed this warning. You can still go back to your project, create a branch from your main branch, push it, and open the pull request from the new branch.
+  - This is not a pre-requisite for your pull request to be accepted, but **you have been warned**.
+- [ ] Added **tests** for changed code.
+    - The CI fails with less than 100% coverage.
+- [ ] **New APIs** are added to our typing tests in [`api.py`](https://github.com/hynek/argon2-cffi/blob/main/tests/typing/api.py).
+- [ ] Updated **documentation** for changed code.
+    - [ ] New functions/classes have to be added to `docs/api.rst` by hand.
+    - [ ] Changed/added classes/methods/functions have appropriate `versionadded`, `versionchanged`, or `deprecated` [directives](http://www.sphinx-doc.org/en/stable/markup/para.html#directive-versionadded).
+      - The next version is the second number in the current release + 1. The first number represents the current year. So if the current version on PyPI is 23.1.0, the next version is gonna be 23.2.0. If the next version is the first in the new year, it'll be 24.1.0.
+- [ ] Documentation in `.rst` and `.md` files is written using [**semantic newlines**](https://rhodesmill.org/brandon/2012/one-sentence-per-line/).
+- [ ] Changes (and possible deprecations) are documented in the [**changelog**](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md).
+- [ ] Consider granting [push permissions to the PR branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork), so maintainers can fix minor issues themselves without pestering you.
+
+<!--
+If you have *any* questions to *any* of the points above, just **submit and ask**!
+This checklist is here to *help* you, not to deter you from contributing!
+-->

.github/SECURITY.md

@@ -2,12 +2,15 @@
 
 ## Supported Versions
 
-We follow [CalVer](https://calver.org) with generous backwards-compatibility guarantees.
+We follow [Calendar Versioning](https://calver.org) with generous backwards-compatibility guarantees.
 Therefore, we only support the latest version.
 
 That said, you shouldn't be afraid to upgrade if you're only using our documented public APIs and pay attention to `DeprecationWarning`s.
 Whenever there is a need to break compatibility, it is announced in the changelog and raises a `DeprecationWarning` for a year (if possible) before it's finally really broken.
 
+> [!WARNING]
+> What explicitly *may* change over time are the default [hashing parameters](https://argon2-cffi.readthedocs.io/en/stable/parameters.html) and the behavior of the [CLI interface](https://argon2-cffi.readthedocs.io/en/stable/cli.html).
+
 
 ## Security contact information
 

.github/dependabot.yml

@@ -1,6 +1,14 @@
+---
 version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "monthly"
+      interval: monthly
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -4,14 +4,14 @@ name: CI
 on:
   push:
     branches: [main]
+    tags: ["*"]
   pull_request:
-    branches: [main]
   workflow_dispatch:
 
 env:
   FORCE_COLOR: "1" # Make tools pretty.
-  PIP_DISABLE_PIP_VERSION_CHECK: 1
-  PIP_NO_PYTHON_VERSION_WARNING: 1
+  PIP_DISABLE_PIP_VERSION_CHECK: "1"
+  PIP_NO_PYTHON_VERSION_WARNING: "1"
 
 permissions: {}
 
@@ -22,202 +22,209 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
+
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+        id: baipp
+
+    outputs:
+      # Used to define the matrix for tests below. The value is based on
+      # packaging metadata (trove classifiers).
+      python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }}
 
-      - uses: hynek/build-and-inspect-python-package@v1
 
   tests:
-    name: Tests & Mypy on ${{ matrix.python-version }}
+    name: Tests & Mypy API on ${{ matrix.python-version }}
     runs-on: ubuntu-latest
     needs: build-package
+
     strategy:
+      fail-fast: false
       matrix:
-        python-version:
-          - "3.7"
-          - "3.8"
-          - "3.9"
-          - "3.10"
-          - "3.11"
-          - "3.12"
-          - "pypy-3.7"
-          - "pypy-3.8"
-          - "pypy-3.9"
-          - "pypy-3.10"
+        # Created by the build-and-inspect-python-package action above.
+        python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }}
+
+    env:
+      PYTHON: ${{ matrix.python-version }}
 
     steps:
       - name: Download pre-built packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
-      - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
+      - run: |
+          tar xf dist/*.tar.gz --strip-components=1
+          rm -rf src
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache: pip
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
 
-      - name: Prepare tox & run tests
-        run: |
-          V=${{ matrix.python-version }}
-          if [[ "$V" = pypy-* ]]; then
-            V=pypy3
-          else
-            V=py$(echo $V | tr -d .)
-          fi
-
-          echo TOX_PYTHON=$V >>$GITHUB_ENV
-
-          python -Im pip install tox
-
-      - run: |
-          python -Im tox run \
-            --installpkg dist/*.whl \
-            -f ${{ env.TOX_PYTHON }}-tests
-      - run: |
-          python -Im tox run \
-            --installpkg dist/*.whl \
-            -f ${{ env.TOX_PYTHON }}-mypy
-        if: ${{ !startsWith(matrix.python-version, 'pypy-') }}
+      - name: Run tests
+        run: >
+          uvx --with tox-uv tox run
+          --installpkg dist/*.whl
+          -f py${PYTHON//./}-tests
 
       - name: Upload coverage data
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: coverage-data
+          name: coverage-data-${{ matrix.python-version }}
           path: .coverage.*
+          include-hidden-files: true
           if-no-files-found: ignore
 
-  coverage:
-    name: Combine & check coverage.
+      - name: Check public API with Mypy
+        run: >
+          uvx --with tox-uv tox run
+          --installpkg dist/*.whl
+          -e py${PYTHON//./}-mypy
+
+  free-threading:
+    name: Test free-threaded builds on ${{ matrix.python-version }}
     runs-on: ubuntu-latest
-    needs: tests
+    needs: build-package
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - 3.14t
+    env:
+      PYTHON: ${{ matrix.python-version }}
 
     steps:
       - name: Download pre-built packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
-      - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
+      - run: |
+          tar xf dist/*.tar.gz --strip-components=1
+          rm -rf src
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache: pip
-          python-version-file: .python-version-default
-      - uses: actions/download-artifact@v3
-        with:
-          name: coverage-data
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
 
-      - name: Combine coverage & fail if it's <100%.
+      - name: Run tests
         run: |
-          python -Im pip install coverage[toml]
+          uv venv --python $PYTHON
+          # cffi 2 is required and currently beta.
+          uv pip install --prerelease=allow dist/*.whl --group dev
 
-          python -Im coverage combine
-          python -Im coverage html --skip-covered --skip-empty
+          .venv/bin/python -Im pytest tests
+
+
+  coverage:
+    name: Ensure 100% test coverage
+    runs-on: ubuntu-latest
+    needs: tests
+    if: always()
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: .python-version-default
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Download coverage data
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: coverage-data-*
+          merge-multiple: true
+
+      - name: Combine coverage and fail if it's <100%.
+        run: |
+          uv tool install coverage
+
+          coverage combine
+          coverage html --skip-covered --skip-empty
 
           # Report and write to summary.
-          python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
+          coverage report --format=markdown >> $GITHUB_STEP_SUMMARY
 
           # Report again and fail if under 100%.
-          python -Im coverage report --fail-under=100
+          coverage report --fail-under=100
 
       - name: Upload HTML report if check failed.
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: html-report
           path: htmlcov
         if: ${{ failure() }}
 
+
   system-package:
-    name: Install & test with system package of Argon2.
+    name: Install & test with system package of Argon2
     runs-on: ubuntu-latest
     needs: build-package
 
     steps:
       - name: Download pre-built packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
       - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache: pip
           python-version-file: .python-version-default
 
       - name: Install dependencies
         run: |
-          sudo apt-get install libargon2-0 libargon2-0-dev
+          sudo apt-get install libargon2-1 libargon2-dev
           python -VV
           python -Im site
-          python -Im pip install --upgrade wheel tox
+          python -Im pip install --upgrade tox
 
       - run: python -Im tox run -e system-argon2
 
-  mypy-pkg:
-    name: Type-check code base
-    runs-on: ubuntu-latest
-    needs: build-package
-    steps:
-      - name: Download pre-built packages
-        uses: actions/download-artifact@v3
-        with:
-          name: Packages
-          path: dist
-      - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
-        with:
-          cache: pip
-          python-version-file: .python-version-default
-      - run: python -Im pip install tox
-
-      - run: python -Im tox run -e mypy-pkg
-
-  pyright:
-    name: Check code base & API w/ Pyright
+  typing:
+    name: Check types using supported type checkers
     runs-on: ubuntu-latest
     needs: build-package
 
     steps:
       - name: Download pre-built packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
       - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache: pip
           python-version-file: .python-version-default
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
 
-      - run: |
-          python -Im venv .venv
-          .venv/bin/python -Im pip install .[typing]
-          echo "$PWD/.venv/bin" >> $GITHUB_PATH
-      - uses: jakebailey/pyright-action@v1
+      - run: uvx --with tox-uv tox run -f typing
 
   docs:
-    name: Build docs & run doctests
-    runs-on: ubuntu-latest
+    name: Run doctests
     needs: build-package
+    runs-on: ubuntu-latest
     steps:
       - name: Download pre-built packages
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
       - run: tar xf dist/*.tar.gz --strip-components=1
-      - uses: actions/setup-python@v4
-        with:
-          cache: pip
-          # Keep in-sync with .readthedocs.yaml and tox.ini/docs.
-          python-version: "3.11"
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - run: >
+          uvx --with tox-uv
+          tox run -e docs-doctests
 
-      - name: Prepare & run tox
-        run: |
-          python -Im pip install tox
-          python -Im tox run -e docs
 
   install-dev:
     name: Verify dev env
@@ -227,33 +234,32 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          cache: pip
           python-version-file: .python-version-default
 
       - name: Install in dev mode and run CLI
         run: |
-         python -Im pip install -e .[dev]
+         python -Im pip install -e . --group dev
          python -Im argon2 -n 1 -t 1 -m 8 -p 1
 
-  # Ensure everything required is passing for branch protection.
+
   required-checks-pass:
     if: always()
-
+    name: Ensure everything required is passing for branch protection
+    runs-on: ubuntu-latest
     needs:
       - coverage
-      - mypy-pkg
-      - pyright
+      - typing
       - docs
       - install-dev
       - system-package
 
-    runs-on: ubuntu-latest
-
     steps:
       - name: Decide whether the needed jobs succeeded or failed
-        uses: re-actors/alls-green@release/v1
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/codeql-analysis.yml

@@ -3,7 +3,7 @@ name: CodeQL
 
 on:
   schedule:
-    - cron: "24 5 * * 4"
+    - cron: "30 22 * * 4"
 
 permissions:
   contents: read
@@ -24,15 +24,17 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

.github/workflows/pypi-package.yml

@@ -1,63 +1,77 @@
 ---
-name: Build & maybe upload PyPI package
+name: Build & upload PyPI package
 
 on:
   push:
+    branches: [main]
     tags: ["*"]
   release:
     types:
       - published
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
 
 jobs:
+  # Always build & lint package.
   build-package:
     name: Build & verify package
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
-      - uses: hynek/build-and-inspect-python-package@v1
+      - uses: hynek/build-and-inspect-python-package@fe0a0fb1925ca263d076ca4f2c13e93a6e92a33e # v2.17.0
+        with:
+          attest-build-provenance-github: 'true'
 
+
+  # Upload to Test PyPI on every commit on main.
   release-test-pypi:
     name: Publish in-dev package to test.pypi.org
     environment: release-test-pypi
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.repository_owner == 'hynek' && github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs: build-package
 
+    permissions:
+      id-token: write
+
     steps:
       - name: Download packages built by build-and-inspect-python-package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
 
       - name: Upload package to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           repository-url: https://test.pypi.org/legacy/
 
+
   # Upload to real PyPI on GitHub Releases.
   release-pypi:
     name: Publish released package to pypi.org
     environment: release-pypi
-    if: github.event.action == 'published'
+    if: github.repository_owner == 'hynek' && github.event.action == 'published'
     runs-on: ubuntu-latest
     needs: build-package
 
+    permissions:
+      id-token: write
+
     steps:
       - name: Download packages built by build-and-inspect-python-package
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: Packages
           path: dist
 
       - name: Upload package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

.github/workflows/zizmor.yml

@@ -0,0 +1,39 @@
+# https://github.com/woodruffw/zizmor
+name: Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+permissions:
+  contents: read
+
+
+jobs:
+  zizmor:
+    name: Zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: hynek/setup-cached-uv@4300ec2180bc77d705e626a34e381b81a4772c51 # v2.5.0
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor

.pre-commit-config.yaml

@@ -3,30 +3,26 @@ ci:
   autoupdate_schedule: monthly
 
 repos:
-  - repo: https://github.com/psf/black
-    rev: 23.7.0
-    hooks:
-      - id: black
-
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.0.284
+    rev: v0.15.12
     hooks:
-      - id: ruff
+      - id: ruff-check
         args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
 
   - repo: https://github.com/econchick/interrogate
-    rev: 1.5.0
+    rev: 1.7.0
     hooks:
       - id: interrogate
         args: [tests]
 
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.5
+    rev: v2.4.2
     hooks:
       - id: codespell
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer

.python-version-default

@@ -1 +1 @@
-3.11
+3.13

.readthedocs.yaml

@@ -1,19 +1,20 @@
 ---
 version: 2
-formats: all
 
 build:
-  os: ubuntu-22.04
+  os: ubuntu-lts-latest
   tools:
-    # Keep version in-sync with tox.ini/docs and ci.yml/docs.
-    python: "3.11"
+    # Keep version in sync with tox.ini/docs.
+    python: "3.13"
+  jobs:
+    create_environment:
+      # Need the tags to calculate the version (sometimes).
+      - git fetch --tags
 
-python:
-  install:
-    - method: pip
-      path: .
-      extra_requirements:
-        - docs
+      - asdf plugin add uv
+      - asdf install uv latest
+      - asdf global uv latest
 
-submodules:
-  include: all
+    build:
+      html:
+        - uvx --with tox-uv tox run -e docs-build -- $READTHEDOCS_OUTPUT

CHANGELOG.md

@@ -2,27 +2,43 @@
 
 All notable changes to this project will be documented in this file.
 
-The format is based on [*Keep a Changelog*](https://keepachangelog.com/en/1.0.0/) and this project adheres to [*Calendar Versioning*](https://calver.org/).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Calendar Versioning](https://calver.org/).
 
 The **first number** of the version is the year.
 The **second number** is incremented with each release, starting at 1 for each year.
 The **third number** is when we need to start branches for older releases (only for emergencies).
 
----
-
-*argon2-cffi* has a very strong backwards-compatibility policy.
-Generally speaking, you shouldn't ever be afraid of updating.
-
-Whenever breaking changes are needed, they are:
-
-1.  …announced here in the changelog.
-2.  …the old behavior raises a `DeprecationWarning` for a year (if possible).
-3.  …are done with another announcement in the changelog.
-
-What explicitly *may* change over time are the default hashing parameters and the behavior of the [CLI interface](https://argon2-cffi.readthedocs.io/en/stable/cli.html).
+You can find our backwards-compatibility policy [here](https://github.com/hynek/argon2-cffi/blob/main/.github/SECURITY.md).
 
 <!-- changelog follows -->
 
+
+## [Unreleased](https://github.com/hynek/argon2-cffi/compare/25.1.0...HEAD)
+
+
+## [25.1.0](https://github.com/hynek/argon2-cffi/compare/23.1.0...25.1.0) - 2025-06-03
+
+### Added
+
+- Official support for Python 3.13 and 3.14.
+  No code changes were necessary.
+
+
+### Removed
+
+- Python 3.7 and 3.8 are not supported anymore.
+  [#186](https://github.com/hynek/argon2-cffi/pull/186)
+
+
+### Changed
+
+- `argon2.PasswordHasher.check_needs_rehash()` now also accepts bytes like the rest of the API.
+  [#174](https://github.com/hynek/argon2-cffi/pull/174)
+
+- Improved parameter compatibility handling for Pyodide / WebAssembly environments.
+  [#190](https://github.com/hynek/argon2-cffi/pull/190)
+
+
 ## [23.1.0](https://github.com/hynek/argon2-cffi/compare/21.3.0...23.1.0) - 2023-08-15
 
 ### Removed
@@ -55,7 +71,7 @@ What explicitly *may* change over time are the default hashing parameters and th
 
 ### Fixed
 
-- While the last release added type hints, the fact that it's been missing a `py.typed` file made *Mypy* ignore them.
+- While the last release added type hints, the fact that it's been missing a `py.typed` file made Mypy ignore them.
   [#113](https://github.com/hynek/argon2-cffi/pull/113)
 
 
@@ -65,10 +81,10 @@ What explicitly *may* change over time are the default hashing parameters and th
 
 - Python 3.5 is not supported anymore.
 
-- The *CFFI* bindings have been extracted into a separate project: [*argon2-cffi-bindings*]
+- The CFFI bindings have been extracted into a separate project: [*argon2-cffi-bindings*]
   This makes *argon2-cffi* a Python-only project und should make it easier to contribute to and have more frequent releases with high-level features.
 
-  This change is breaking for users who want to use a system-wide installation of *Argon2* instead of our vendored code, because the argument to the ``--no-binary`` argument changed.
+  This change is breaking for users who want to use a system-wide installation of Argon2 instead of our vendored code, because the argument to the ``--no-binary`` argument changed.
   Please refer to the [installation guide](https://argon2-cffi.readthedocs.io/en/stable/installation.html).
 
 
@@ -78,7 +94,7 @@ What explicitly *may* change over time are the default hashing parameters and th
   Including:
     - Apple Silicon via `universal2`
     - Linux on `amd64` and `arm64`
-    - [*musl libc*](https://musl.libc.org) ([*Alpine* Linux!](https://www.alpinelinux.org)) on `i686`, `amd64`, and `arm64`
+    - [*musl libc*](https://musl.libc.org) ([Alpine Linux!](https://www.alpinelinux.org)) on `i686`, `amd64`, and `arm64`
     - PyPy 3.8
 
   We hope to provide wheels for Windows on `arm64` soon, but are waiting for GitHub Actions to support that.
@@ -102,7 +118,7 @@ What explicitly *may* change over time are the default hashing parameters and th
 
 ## [21.1.0](https://github.com/hynek/argon2-cffi/compare/20.1.0...21.1.0) - 2021-08-29
 
-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
 
 ### Removed
 
@@ -113,7 +129,7 @@ Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/6
 ### Changed
 
 - There are indeed no changes whatsoever to the code of *argon2-cffi*.
-  The *Argon2* project also hasn't tagged a new release since July 2019.
+  The Argon2 project also hasn't tagged a new release since July 2019.
   There also don't seem to be any important pending fixes.
 
   This release is mainly about improving the way binary wheels are built (`abi3` on all platforms).
@@ -121,17 +137,17 @@ Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/6
 
 ## [20.1.0](https://github.com/hynek/argon2-cffi/compare/19.2.0...20.1.0) - 2020-05-11
 
-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
 
 
 ### Added
 
-- It is now possible to manually override the detection of *SSE2* using the `ARGON2_CFFI_USE_SSE2` environment variable.
+- It is now possible to manually override the detection of SSE2 using the `ARGON2_CFFI_USE_SSE2` environment variable.
 
 
 ## [19.2.0](https://github.com/hynek/argon2-cffi/compare/18.3.0...19.1.0) - 2019-10-27
 
-Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
+Vendoring Argon2 @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/62358ba2123abd17fccf2a108a301d4b52c01a7c) (20190702)
 
 ### Removed
 
@@ -148,16 +164,16 @@ Vendoring *Argon2* @ [62358ba](https://github.com/P-H-C/phc-winner-argon2/tree/6
 
 ## [19.1.0](https://github.com/hynek/argon2-cffi/compare/18.3.0...19.1.0) - 2019-01-17
 
-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
 
 ### Added
 
-- Added support for *Argon2* v1.2 hashes in `argon2.extract_parameters()`.
+- Added support for Argon2 v1.2 hashes in `argon2.extract_parameters()`.
 
 
 ## [18.3.0](https://github.com/hynek/argon2-cffi/compare/18.2.0...18.3.0) - 2018-08-19
 
-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
 
 ### Added
 
@@ -166,13 +182,13 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6
 
 ## [18.2.0](https://github.com/hynek/argon2-cffi/compare/18.1.0...18.2.0) - 2018-08-19
 
-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
 
 ### Changed
 
 - The hash type for `argon2.PasswordHasher` is Argon2**id** now.
 
-  This decision has been made based on the recommendations in the latest [*Argon2* RFC draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04#section-4).
+  This decision has been made based on the recommendations in the latest [Argon2 RFC draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-argon2-04#section-4).
   [#33](https://github.com/hynek/argon2-cffi/issues/33)
   [#34](https://github.com/hynek/argon2-cffi/pull/34)
 
@@ -184,7 +200,7 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6
 
 - To make the change of hash type backward compatible, `argon2.PasswordHasher.verify()` now determines the type of the hash and verifies it accordingly.
 
-- To allow for bespoke decisions about upgrading *Argon2* parameters, it's now possible to extract them from a hash via the `argon2.extract_parameters()` function.
+- To allow for bespoke decisions about upgrading Argon2 parameters, it's now possible to extract them from a hash via the `argon2.extract_parameters()` function.
   [#41](https://github.com/hynek/argon2-cffi/pull/41)
 
 - Additionally `argon2.PasswordHasher` now has a `check_needs_rehash()` method that allows to verify whether a hash has been created with the instance's parameters or whether it should be rehashed.
@@ -193,16 +209,16 @@ Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/6
 
 ## [18.1.0](https://github.com/hynek/argon2-cffi/compare/16.3.0...18.1.0) - 2018-01-06
 
-Vendoring *Argon2* @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
+Vendoring Argon2 @ [670229c](https://github.com/P-H-C/phc-winner-argon2/tree/670229c849b9fe882583688b74eb7dfdc846f9f6) (20171227)
 
 ### Added
 
-- It is now possible to use the *argon2-cffi* bindings against an *Argon2* library that is provided by the system.
+- It is now possible to use the *argon2-cffi* bindings against an Argon2 library that is provided by the system.
 
 
 ## [16.3.0](https://github.com/hynek/argon2-cffi/compare/16.2.0...16.3.0) - 2016-11-10
 
-Vendoring *Argon2* @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.com/P-H-C/phc-winner-argon2/tree/1c4fc41f81f358283755eea88d4ecd05e43b7fd3) (20161029)
+Vendoring Argon2 @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.com/P-H-C/phc-winner-argon2/tree/1c4fc41f81f358283755eea88d4ecd05e43b7fd3) (20161029)
 
 ### Added
 
@@ -219,17 +235,17 @@ Vendoring *Argon2* @ [1c4fc41f81f358283755eea88d4ecd05e43b7fd3](https://github.c
 
 ## [16.2.0](https://github.com/hynek/argon2-cffi/compare/16.1.0...16.2.0) - 2016-09-10
 
-Vendoring *Argon2* @ [4844d2fee15d44cb19296ddf36029326d17c5aa3](https://github.com/P-H-C/phc-winner-argon2/tree/4844d2fee15d44cb19296ddf36029326d17c5aa3)
+Vendoring Argon2 @ [4844d2fee15d44cb19296ddf36029326d17c5aa3](https://github.com/P-H-C/phc-winner-argon2/tree/4844d2fee15d44cb19296ddf36029326d17c5aa3)
 
 ### Fixed
 
-- Fixed compilation on debian jessie.
+- Fixed compilation on Debian 8 (Jessie).
   [#13](https://github.com/hynek/argon2-cffi/pull/13)
 
 
 ## [16.1.0](https://github.com/hynek/argon2-cffi/compare/16.0.0...16.1.0) - 2016-04-19
 
-Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.com/P-H-C/phc-winner-argon2/tree/00aaa6604501fade85853a4b2f5695611ff6e7c5).
+Vendoring Argon2 @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.com/P-H-C/phc-winner-argon2/tree/00aaa6604501fade85853a4b2f5695611ff6e7c5).
 
 ### Added
 
@@ -238,7 +254,7 @@ Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.c
 
 ### Changed
 
-- Add support for [*Argon2* 1.3](https://mailarchive.ietf.org/arch/msg/cfrg/beOzPh41Hz3cjl5QD7MSRNTi3lA/).
+- Add support for [Argon2 1.3](https://mailarchive.ietf.org/arch/msg/cfrg/beOzPh41Hz3cjl5QD7MSRNTi3lA/).
   Old hashes remain functional but opportunistic rehashing is strongly recommended.
 
 ### Removed
@@ -254,7 +270,7 @@ Vendoring *Argon2* @ [00aaa6604501fade85853a4b2f5695611ff6e7c5](https://github.c
 
 ## [16.0.0](https://github.com/hynek/argon2-cffi/compare/15.0.1...16.0.0) - 2016-01-02
 
-Vendoring *Argon2* @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.com/P-H-C/phc-winner-argon2/tree/421dafd2a8af5cbb215e16da5953663eb101d139).
+Vendoring Argon2 @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.com/P-H-C/phc-winner-argon2/tree/421dafd2a8af5cbb215e16da5953663eb101d139).
 
 ### Deprecated
 
@@ -273,7 +289,7 @@ Vendoring *Argon2* @ [421dafd2a8af5cbb215e16da5953663eb101d139](https://github.c
 
 ## [15.0.1](https://github.com/hynek/argon2-cffi/compare/15.0.0...15.0.1) - 2015-12-18
 
-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
 
 ### Fixed
 
@@ -282,11 +298,11 @@ Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.c
 
 ## [15.0.0](https://github.com/hynek/argon2-cffi/compare/15.0.0b5...15.0.0) - 2015-12-18
 
-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
 
 ### Added
 
-- Conditionally use the [*SSE2*](https://en.wikipedia.org/wiki/SSE2)-optimized version of `argon2` on x86 architectures.
+- Conditionally use the [SSE2](https://en.wikipedia.org/wiki/SSE2)-optimized version of `argon2` on x86 architectures.
 
 ### Changed
 
@@ -305,13 +321,13 @@ Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.c
 
 ## [15.0.0b5](https://github.com/hynek/argon2-cffi/tree/15.0.0b5) - 2015-12-10
 
-Vendoring *Argon2* @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
+Vendoring Argon2 @ [4fe0d8cda37691228dd5a96a310be57369403a4b](https://github.com/P-H-C/phc-winner-argon2/tree/4fe0d8cda37691228dd5a96a310be57369403a4b).
 
 ### Added
 
 - Initial work.
   Previous betas were only for fixing Windows packaging.
-  The authors of *Argon2* were kind enough to [help me](https://github.com/P-H-C/phc-winner-argon2/issues/44) to get it building under Visual Studio 2008 that we’re forced to use for Python 2.7 on Windows.
+  The authors of Argon2 were kind enough to [help me](https://github.com/P-H-C/phc-winner-argon2/issues/44) to get it building under Visual Studio 2008 that we’re forced to use for Python 2.7 on Windows.
 
 
 [*argon2-cffi-bindings*]: https://github.com/hynek/argon2-cffi-bindings

README.md

@@ -1,7 +1,6 @@
 # *argon2-cffi*: Argon2 for Python
 
 [![Documentation](https://img.shields.io/badge/Docs-Read%20The%20Docs-black)](https://argon2-cffi.readthedocs.io/)
-[![License: MIT](https://img.shields.io/badge/license-MIT-C06524)](https://github.com/hynek/argon2-cffi/blob/main/LICENSE)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6671/badge)](https://bestpractices.coreinfrastructure.org/projects/6671)
 [![PyPI version](https://img.shields.io/pypi/v/argon2-cffi)](https://pypi.org/project/argon2-cffi/)
 [![Downloads / Month](https://static.pepy.tech/personalized-badge/argon2-cffi?period=month&units=international_system&left_color=grey&right_color=blue&left_text=Downloads%20/%20Month)](https://pepy.tech/project/argon2-cffi)
@@ -49,8 +48,7 @@ The development is kindly supported by my employer [Variomedia AG](https://www.v
 
 ## *argon2-cffi* for Enterprise
 
-Available as part of the Tidelift Subscription.
+Available as part of the [Tidelift Subscription](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
 
 The maintainers of *argon2-cffi* and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open-source packages you use to build your applications.
 Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.
-[Learn more.](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek)

docs/_static/custom.css

@@ -0,0 +1,10 @@
+@import url('https://rsms.me/inter/inter.css');
+@import url('https://assets.hynek.me/css/bm.css');
+
+
+:root {
+  font-feature-settings: 'liga' 1, 'calt' 1; /* fix for Chrome */
+}
+@supports (font-variation-settings: normal) {
+  :root { font-family: InterVariable, sans-serif; }
+}

docs/api.rst

@@ -14,7 +14,8 @@ If you don't specify any parameters, the following constants are used:
 .. data:: DEFAULT_MEMORY_COST
 .. data:: DEFAULT_PARALLELISM
 
-They are taken from :data:`argon2.profiles.RFC_9106_LOW_MEMORY`.
+They are taken from :data:`argon2.profiles.RFC_9106_LOW_MEMORY`, but they may vary depending on the platform.
+You can use :func:`argon2.profiles.get_default_parameters` to get the current platform's defaults.
 
 
 Profiles
@@ -79,6 +80,8 @@ That should give you a feeling on how they perform in *your* environment.
    .. versionadded:: 21.2.0
 
 
+.. autofunction:: argon2.profiles.get_default_parameters
+
 .. _`RFC 9106`: https://www.rfc-editor.org/rfc/rfc9106.html
 
 
@@ -95,6 +98,9 @@ Exceptions
 
 .. autoexception:: argon2.exceptions.InvalidHash
 
+.. autoexception:: argon2.exceptions.UnsupportedParametersError
+
+
 
 Utilities
 ---------
@@ -161,42 +167,64 @@ The super low-level ``argon2_core()`` function is exposed too if you need access
 .. autofunction:: core
 
 In order to use :func:`core`, you need access to *argon2-cffi*'s FFI objects.
-Therefore it is OK to use ``argon2.low_level.ffi`` and ``argon2.low_level.lib`` when working with it:
+Therefore, it is OK to use ``argon2.low_level.ffi`` and ``argon2.low_level.lib`` when working with it.
+For example, if you wanted to check the :rfc:`9106` test vectors for Argon2id that include a secret and associated data that both get mixed into the hash and aren't exposed by the high-level APIs:
 
 .. doctest::
 
-  >>> from argon2.low_level import ARGON2_VERSION, Type, core, ffi, lib
-  >>> pwd = b"secret"
-  >>> salt = b"12345678"
-  >>> hash_len = 8
-  >>> # Make sure you keep FFI objects alive until *after* the core call!
-  >>> cout = ffi.new("uint8_t[]", hash_len)
-  >>> cpwd = ffi.new("uint8_t[]", pwd)
-  >>> csalt = ffi.new("uint8_t[]", salt)
-  >>> ctx = ffi.new(
-  ...     "argon2_context *", dict(
-  ...         version=ARGON2_VERSION,
-  ...         out=cout, outlen=hash_len,
-  ...         pwd=cpwd, pwdlen=len(pwd),
-  ...         salt=csalt, saltlen=len(salt),
-  ...         secret=ffi.NULL, secretlen=0,
-  ...         ad=ffi.NULL, adlen=0,
-  ...         t_cost=1,
-  ...         m_cost=8,
-  ...         lanes=1, threads=1,
-  ...         allocate_cbk=ffi.NULL, free_cbk=ffi.NULL,
-  ...         flags=lib.ARGON2_DEFAULT_FLAGS,
+  >>> from argon2.low_level import Type, core, ffi, lib
+
+  >>> def low_level_hash(
+  ...        password, salt, secret, associated,
+  ...        hash_len, version, t_cost, m_cost, lanes, threads):
+  ...     cout = ffi.new("uint8_t[]", hash_len)
+  ...     cpwd = ffi.new("uint8_t[]", password)
+  ...     cad = ffi.new("uint8_t[]", associated)
+  ...     csalt = ffi.new("uint8_t[]", salt)
+  ...     csecret = ffi.new("uint8_t[]", secret)
+  ...
+  ...     ctx = ffi.new(
+  ...         "argon2_context *",
+  ...         {
+  ...             "out": cout,
+  ...             "outlen": hash_len,
+  ...             "version": version,
+  ...             "pwd": cpwd,
+  ...             "pwdlen": len(cpwd) - 1,
+  ...             "salt": csalt,
+  ...             "saltlen": len(csalt) - 1,
+  ...             "secret": csecret,
+  ...             "secretlen": len(csecret) - 1,
+  ...             "ad": cad,
+  ...             "adlen": len(cad) - 1,
+  ...             "t_cost": t_cost,
+  ...             "m_cost": m_cost,
+  ...             "lanes": lanes,
+  ...             "threads": threads,
+  ...             "allocate_cbk": ffi.NULL,
+  ...             "free_cbk": ffi.NULL,
+  ...             "flags": lib.ARGON2_DEFAULT_FLAGS,
+  ...         },
+  ...     )
+  ...
+  ...     assert lib.ARGON2_OK == core(ctx, Type.ID.value)
+  ...
+  ...     return bytes(ffi.buffer(ctx.out, ctx.outlen)).hex()
+
+  >>> password = bytes.fromhex(
+  ...    "0101010101010101010101010101010101010101010101010101010101010101"
+  ... )
+  >>> associated = bytes.fromhex("040404040404040404040404")
+  >>> salt = bytes.fromhex("02020202020202020202020202020202")
+  >>> secret = bytes.fromhex("0303030303030303")
+
+  >>> assert (
+  ...     "0d640df58d78766c08c037a34a8b53c9d01ef0452d75b65eb52520e96b01e659"
+  ...     == low_level_hash(
+  ...            password, salt, secret, associated,
+  ...            32, 19, 3, 32, 4, 4,
   ...     )
   ... )
-  >>> ctx
-  <cdata 'struct Argon2_Context *' owning 120 bytes>
-  >>> core(ctx, Type.D.value)
-  0
-  >>> out = bytes(ffi.buffer(ctx.out, ctx.outlen))
-  >>> out
-  b'\xb4\xe2HjO\x14d\x9b'
-  >>> out == argon2.low_level.hash_secret_raw(pwd, salt, 1, 8, 1, 8, Type.D)
-  True
 
 All constants and types on ``argon2.low_level.lib`` are guaranteed to stay as long they are not altered by Argon2 itself.
 

docs/argon2.md

@@ -18,7 +18,7 @@ Argon2**d**'s strength is the resistance against [time–memory trade-offs], whi
 
 Accordingly, Argon2**i** was originally considered the correct choice for password hashing and password-based key derivation.
 In practice it turned out that a *combination* of d and i -- that combines their strengths -- is the better choice.
-And so Argon2**id** was born and is now considered the *main variant* (and the only variant required by the RFC to be implemented).
+And so Argon2**id** was born and is now considered the *main variant* -- and the only variant required by the RFC to be implemented.
 
 
 ## Why “just use bcrypt” Is Not the Best Answer (Anymore)
@@ -33,7 +33,7 @@ However according to the [Argon2 paper] [^outdated], page 2:
 > \[…\] the existence of a trivial time-memory tradeoff allows compact implementations with the same energy cost.
 
 Therefore a new algorithm was needed.
-This time future-proof and with committee-vetting instead of single implementors.
+This time future-proof and with committee-vetting instead of single implementers.
 
 [^outdated]: Please note that the paper is in some parts outdated.
     For instance it predates the genesis of Argon2**id**.

docs/conf.py

@@ -53,7 +53,7 @@ autodoc_typehints_description_target = "documented"
 # directories to ignore when looking for source files.
 exclude_patterns = ["_build"]
 
-nitpick_ignore = []
+# nitpick_ignore = []
 
 # The reST default role (used for this markup: `text`) to use for all
 # documents.
@@ -66,6 +66,16 @@ add_function_parentheses = True
 # -- Options for HTML output ----------------------------------------------
 
 html_theme = "furo"
+html_theme_options = {
+    "top_of_page_buttons": [],
+    "light_css_variables": {
+        "font-stack": "Inter,sans-serif",
+        "font-stack--monospace": "BerkeleyMono, MonoLisa, ui-monospace, "
+        "SFMono-Regular, Menlo, Consolas, Liberation Mono, monospace",
+    },
+}
+html_static_path = ["_static"]
+html_css_files = ["custom.css"]
 
 # Output file base name for HTML help builder.
 htmlhelp_basename = "argon2-cffidoc"

docs/installation.md

@@ -13,10 +13,10 @@ But since *argon2-cffi* depends on [argon2-cffi-bindings] that vendors Argon2's
 The C code is known to compile and work on all common platforms (including x86, ARM, and PPC).
 On x86, an [SSE2]-optimized version is used.
 
-If something goes wrong, please try to update your *cffi*, *pip* and *setuptools* packages first:
+If something goes wrong, please try to update your *pip* package first:
 
 ```console
-$ python -Im pip install -U cffi pip setuptools
+$ python -Im pip install -U pip
 ```
 
 Overall this should be the safest bet because *argon2-cffi* has been specifically tested against the vendored version.
@@ -25,7 +25,7 @@ Overall this should be the safest bet because *argon2-cffi* has been specificall
 ### Wheels
 
 Binary [wheels](https://pythonwheels.com) for macOS, Windows, and Linux are provided on [PyPI] by [argon2-cffi-bindings].
-With a recent-enough *pip* and *setuptools*, they should be used automatically.
+With a recent-enough *pip* they should be used automatically.
 
 
 ### Source Distribution
@@ -50,8 +50,12 @@ This approach can lead to problems around your build chain and you can run into
 
 **It is your own responsibility to deal with these risks if you choose this path.**
 
-Available since version 18.1.0.
-The `--no-binary` option value changed in 21.2.0 due to the outsourcing of the binary bindings.
+:::{versionadded} 18.1.0
+:::
+
+:::{versionchanged} 21.2.0
+The `--no-binary` option value changed due to the outsourcing of the binary bindings.
+:::
 
 
 ## Override Automatic SSE2 Detection
@@ -65,7 +69,8 @@ Therefore you can use the `ARGON2_CFFI_USE_SSE2` environment variable to control
 - If you set it to `0`, *argon2-cffi* will build **without** SSE2 support.
 - If you set it to anything else, it will be ignored and *argon2-cffi* will try to guess.
 
-Available since version 20.1.0.
+:::{versionadded} 20.1.0
+:::
 
 [argon2-cffi-bindings]: https://github.com/hynek/argon2-cffi-bindings
 [cffi environment]: https://cffi.readthedocs.io/en/latest/installation.html

docs/parameters.md

@@ -6,7 +6,7 @@ But it's good to double check using *argon2-cffi*'s {doc}`cli` client, whether i
 :::
 
 Finding the right parameters for a password hashing algorithm is a daunting task.
-As of September 2021, we have the official Internet standard [RFC 9106] to help use with it.
+As of September 2021, we have the official Internet standard [RFC 9106] to help us with it.
 
 It comes with two recommendations in [section 4](https://www.rfc-editor.org/rfc/rfc9106.html#section-4), that (as of *argon2-cffi* 21.2.0) you can load directly from the {mod}`argon2.profiles` module: {data}`argon2.profiles.RFC_9106_HIGH_MEMORY` (called "FIRST RECOMMENDED") and {data}`argon2.profiles.RFC_9106_LOW_MEMORY` ("SECOND RECOMMENDED") into {meth}`argon2.PasswordHasher.from_parameters()`.
 

pyproject.toml

@@ -14,34 +14,30 @@ name = "argon2-cffi"
 description = "Argon2 for Python"
 authors = [{ name = "Hynek Schlawack", email = "hs@ox.cx" }]
 dynamic = ["version", "readme"]
-requires-python = ">=3.7"
+requires-python = ">=3.9"
 license = "MIT"
+license-files = ["LICENSE"]
 keywords = ["password", "hash", "hashing", "security"]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
-    "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
     "Operating System :: MacOS :: MacOS X",
     "Operating System :: Microsoft :: Windows",
     "Operating System :: POSIX",
-    "Operating System :: Unix",
-    "Programming Language :: Python :: 3.7",
-    "Programming Language :: Python :: 3.8",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Programming Language :: Python :: Free Threading",
     "Programming Language :: Python :: Implementation :: CPython",
     "Programming Language :: Python :: Implementation :: PyPy",
     "Topic :: Security :: Cryptography",
-    "Topic :: Software Development :: Libraries :: Python Modules",
-]
-dependencies = [
-    "argon2-cffi-bindings",
-    "typing-extensions; python_version < '3.8'", # cf. _typing.py module
+    "Typing :: Typed",
 ]
+dependencies = ["argon2-cffi-bindings"]
 
-[project.optional-dependencies]
+[dependency-groups]
 tests = ["hypothesis", "pytest"]
 typing = ["mypy"]
 docs = [
@@ -51,7 +47,7 @@ docs = [
     "furo",
     "myst-parser",
 ]
-dev = ["argon2-cffi[tests,typing]", "tox>4"]
+dev = [{ include-group = "tests" }, { include-group = "typing" }, "tox>4"]
 
 [project.urls]
 Documentation = "https://argon2-cffi.readthedocs.io/"
@@ -93,7 +89,7 @@ pattern = "\n(###.+?\n)## "
 text = """
 ---
 
-[→ Full Changelog](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md)
+[Full Changelog →](https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md)
 
 
 """
@@ -103,7 +99,6 @@ path = "README.md"
 start-at = "## Credits"
 
 
-
 [tool.pytest.ini_options]
 addopts = ["-ra", "--strict-markers", "--strict-config"]
 xfail_strict = true
@@ -122,23 +117,6 @@ source = ["src", ".tox/py*/**/site-packages"]
 [tool.coverage.report]
 show_missing = true
 skip_covered = true
-exclude_lines = [
-    # a more strict default pragma
-    "\\# pragma: no cover\\b",
-
-    # allow defensive code
-    "^\\s*raise AssertionError\\b",
-    "^\\s*raise NotImplementedError\\b",
-    "^\\s*return NotImplemented\\b",
-    "^\\s*raise$",
-
-    # typing-related code
-    "^if (False|TYPE_CHECKING):",
-    ": \\.\\.\\.(\\s*#.*)?$",
-    "^ +\\.\\.\\.$",
-    "-> ['\"]?NoReturn['\"]?:",
-]
-omit = []
 
 
 [tool.interrogate]
@@ -149,28 +127,28 @@ whitelist-regex = ["test_.*"]
 
 [tool.pyright]
 ignore = ["conftest.py", "docs", "tests"]
+disableBytesTypePromotions = true
 
 
 [tool.mypy]
 strict = true
+pretty = true
 
 show_error_codes = true
 enable_error_code = ["ignore-without-code"]
 
 ignore_missing_imports = true
 
-
 [[tool.mypy.overrides]]
 module = "tests.*"
 ignore_errors = true
 
 
-[tool.black]
-line-length = 79
-
-
 [tool.ruff]
 src = ["src", "tests", "noxfile.py"]
+line-length = 79
+
+[tool.ruff.lint]
 select = ["ALL"]
 ignore = [
     "A001",    # shadowing is fine
@@ -178,13 +156,15 @@ ignore = [
     "A003",    # shadowing is fine
     "ANN",     # Mypy is better at this
     "ARG001",  # unused arguments are normal when implementing interfaces
-    "COM",     # Black takes care of our commas
+    "COM",     # Formatter takes care of our commas
     "D",       # We prefer our own docstring style.
-    "E501",    # leave line-length enforcement to Black
+    "E501",    # leave line-length enforcement to formatter
     "ERA001",  # Dead code detection is overly eager.
     "FBT",     # we have one function that takes one bool; c'mon!
     "FIX",     # Yes, we want XXX as a marker.
     "INP001",  # sometimes we want Python files outside of packages
+    "ISC001",  # conflicts with ruff format
+    "PLC0415", # sometimes, imports must live elsewhere
     "PLR0913", # yes, many arguments, but most have defaults
     "PLR2004", # numbers are sometimes fine
     "PLW2901", # re-assigning within loop bodies is fine
@@ -194,7 +174,7 @@ ignore = [
     "TD",      # we don't follow other people's todo style
 ]
 
-[tool.ruff.per-file-ignores]
+[tool.ruff.lint.per-file-ignores]
 "src/argon2/__main__.py" = ["T201"] # need print in CLI
 "tests/*" = [
     "ARG",    # stubs don't care about arguments
@@ -206,7 +186,6 @@ ignore = [
     "EM101",  # no need for exception msg hygiene in tests
 ]
 
-
-[tool.ruff.isort]
+[tool.ruff.lint.isort]
 lines-between-types = 1
 lines-after-imports = 2

src/argon2/__init__.py

@@ -56,18 +56,14 @@ def __getattr__(name: str) -> str:
         msg = f"module {__name__} has no attribute {name}"
         raise AttributeError(msg)
 
-    import sys
     import warnings
 
-    if sys.version_info < (3, 8):
-        from importlib_metadata import metadata
-    else:
-        from importlib.metadata import metadata
+    from importlib.metadata import metadata
 
     warnings.warn(
         f"Accessing argon2.{name} is deprecated and will be "
         "removed in a future release. Use importlib.metadata directly "
-        "to query for structlog's packaging metadata.",
+        "to query for argon2-cffi's packaging metadata.",
         DeprecationWarning,
         stacklevel=2,
     )
@@ -81,12 +77,3 @@ def __getattr__(name: str) -> str:
         return meta["Author-email"].split("<", 1)[1].rstrip(">")
 
     return meta[dunder_to_metadata[name]]
-
-
-# Make nicer public names.
-__locals = locals()
-for __name in __all__:
-    if not __name.startswith(("__", "DEFAULT_")) and not __name.islower():
-        __locals[__name].__module__ = "argon2"
-del __locals
-del __name  # pyright: ignore[reportUnboundVariable]

src/argon2/__main__.py

@@ -17,7 +17,10 @@ from . import (
 
 
 def main(argv: list[str]) -> None:
-    parser = argparse.ArgumentParser(description="Benchmark Argon2.")
+    parser = argparse.ArgumentParser(
+        description="Benchmark Argon2.",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+    )
     parser.add_argument(
         "-n", type=int, default=100, help="Number of iterations to measure."
     )
@@ -56,23 +59,21 @@ def main(argv: list[str]) -> None:
         )
     hash = ph.hash(password)
 
-    params = {
-        "time_cost": (ph.time_cost, "iterations"),
-        "memory_cost": (ph.memory_cost, "KiB"),
-        "parallelism": (ph.parallelism, "threads"),
-        "hash_len": (ph.hash_len, "bytes"),
-    }
+    print(f"Running Argon2id {args.n} times with:")
 
-    print("Running Argon2id %d times with:" % (args.n,))
-
-    for k, v in sorted(params.items()):
-        print("%s: %d %s" % (k, v[0], v[1]))
+    for name, value, units in [
+        ("hash_len", ph.hash_len, "bytes"),
+        ("memory_cost", ph.memory_cost, "KiB"),
+        ("parallelism", ph.parallelism, "threads"),
+        ("time_cost", ph.time_cost, "iterations"),
+    ]:
+        print(f"{name}: {value} {units}")
 
     print("\nMeasuring...")
     duration = timeit.timeit(
         f"ph.verify({hash!r}, {password!r})",
         setup=f"""\
-from argon2 import PasswordHasher, Type
+from argon2 import PasswordHasher
 
 ph = PasswordHasher(
     time_cost={args.t!r},

src/argon2/_legacy.py

@@ -9,6 +9,8 @@ from __future__ import annotations
 import os
 import warnings
 
+from typing import Literal
+
 from ._password_hasher import (
     DEFAULT_HASH_LENGTH,
     DEFAULT_MEMORY_COST,
@@ -16,7 +18,6 @@ from ._password_hasher import (
     DEFAULT_RANDOM_SALT_LENGTH,
     DEFAULT_TIME_COST,
 )
-from ._typing import Literal
 from .low_level import Type, hash_secret, hash_secret_raw, verify_secret
 
 

src/argon2/_password_hasher.py

@@ -4,20 +4,26 @@ from __future__ import annotations
 
 import os
 
-from typing import ClassVar
+from typing import ClassVar, Literal
 
-from ._typing import Literal
-from ._utils import Parameters, _check_types, extract_parameters
+from ._utils import (
+    Parameters,
+    _check_types,
+    extract_parameters,
+    validate_params_for_platform,
+)
 from .exceptions import InvalidHashError
 from .low_level import Type, hash_secret, verify_secret
-from .profiles import RFC_9106_LOW_MEMORY
+from .profiles import get_default_parameters
 
 
-DEFAULT_RANDOM_SALT_LENGTH = RFC_9106_LOW_MEMORY.salt_len
-DEFAULT_HASH_LENGTH = RFC_9106_LOW_MEMORY.hash_len
-DEFAULT_TIME_COST = RFC_9106_LOW_MEMORY.time_cost
-DEFAULT_MEMORY_COST = RFC_9106_LOW_MEMORY.memory_cost
-DEFAULT_PARALLELISM = RFC_9106_LOW_MEMORY.parallelism
+default_params = get_default_parameters()
+
+DEFAULT_RANDOM_SALT_LENGTH = default_params.salt_len
+DEFAULT_HASH_LENGTH = default_params.hash_len
+DEFAULT_TIME_COST = default_params.time_cost
+DEFAULT_MEMORY_COST = default_params.memory_cost
+DEFAULT_PARALLELISM = default_params.parallelism
 
 
 def _ensure_bytes(s: bytes | str, encoding: str) -> bytes:
@@ -33,27 +39,36 @@ class PasswordHasher:
     r"""
     High level class to hash passwords with sensible defaults.
 
-    Uses Argon2\ **id** by default and always uses a random salt_ for hashing.
-    But it can verify any type of Argon2 as long as the hash is correctly
-    encoded.
+    Uses Argon2\ **id** by default and uses a random salt_ for hashing. But it
+    can verify any type of Argon2 as long as the hash is correctly encoded.
 
     The reason for this being a class is both for convenience to carry
     parameters and to verify the parameters only *once*.  Any unnecessary
-    slowdown when hashing is a tangible advantage for a brute force attacker.
+    slowdown when hashing is a tangible advantage for a brute-force attacker.
 
-    :param int time_cost: Defines the amount of computation realized and
-        therefore the execution time, given in number of iterations.
-    :param int memory_cost: Defines the memory usage, given in kibibytes_.
-    :param int parallelism: Defines the number of parallel threads (*changes*
-        the resulting hash value).
-    :param int hash_len: Length of the hash in bytes.
-    :param int salt_len: Length of random salt to be generated for each
-        password.
-    :param str encoding: The Argon2 C library expects bytes.  So if
-        :meth:`hash` or :meth:`verify` are passed a ``str``, it will be
-        encoded using this encoding.
-    :param Type type: Argon2 type to use.  Only change for interoperability
-        with legacy systems.
+    Args:
+        time_cost:
+            Defines the amount of computation realized and therefore the
+            execution time, given in number of iterations.
+
+        memory_cost: Defines the memory usage, given in kibibytes_.
+
+        parallelism:
+            Defines the number of parallel threads (*changes* the resulting
+            hash value).
+
+        hash_len: Length of the hash in bytes.
+
+        salt_len: Length of random salt to be generated for each password.
+
+        encoding:
+            The Argon2 C library expects bytes.  So if :meth:`hash` or
+            :meth:`verify` are passed a ``str``, it will be encoded using this
+            encoding.
+
+        type:
+            Argon2 type to use.  Only change for interoperability with legacy
+            systems.
 
     .. versionadded:: 16.0.0
     .. versionchanged:: 18.2.0
@@ -70,6 +85,7 @@ class PasswordHasher:
     .. _salt: https://en.wikipedia.org/wiki/Salt_(cryptography)
     .. _kibibytes: https://en.wikipedia.org/wiki/Binary_prefix#kibi
     """
+
     __slots__ = ["_parameters", "encoding"]
 
     _parameters: Parameters
@@ -97,8 +113,7 @@ class PasswordHasher:
         if e:
             raise TypeError(e)
 
-        # Cache a Parameters object for check_needs_rehash.
-        self._parameters = Parameters(
+        params = Parameters(
             type=type,
             version=19,
             salt_len=salt_len,
@@ -107,6 +122,11 @@ class PasswordHasher:
             memory_cost=memory_cost,
             parallelism=parallelism,
         )
+
+        validate_params_for_platform(params)
+
+        # Cache a Parameters object for check_needs_rehash.
+        self._parameters = params
         self.encoding = encoding
 
     @classmethod
@@ -114,12 +134,20 @@ class PasswordHasher:
         """
         Construct a `PasswordHasher` from *params*.
 
+        Returns:
+            A `PasswordHasher` instance with the parameters from *params*.
+
         .. versionadded:: 21.2.0
         """
-        ph = cls()
-        ph._parameters = params
 
-        return ph
+        return cls(
+            time_cost=params.time_cost,
+            memory_cost=params.memory_cost,
+            parallelism=params.parallelism,
+            hash_len=params.hash_len,
+            salt_len=params.salt_len,
+            type=params.type,
+        )
 
     @property
     def time_cost(self) -> int:
@@ -149,11 +177,11 @@ class PasswordHasher:
         """
         Hash *password* and return an encoded hash.
 
-        Parameters:
-
+        Args:
             password: Password to hash.
 
-            salt: If None, a random salt is securely created.
+            salt:
+                If None, a random salt is securely created.
 
                 .. danger::
 
@@ -161,11 +189,9 @@ class PasswordHasher:
                     you are doing.
 
         Raises:
-
             argon2.exceptions.HashingError: If hashing fails.
 
         Returns:
-
             Hashed *password*.
 
         .. versionadded:: 23.1.0 *salt* parameter
@@ -198,23 +224,25 @@ class PasswordHasher:
             other parsing than the determination of the hash type is done by
             *argon2-cffi*.
 
-        :param hash: An encoded hash as returned from
-            :meth:`PasswordHasher.hash`.
-        :type hash: ``bytes`` or ``str``
+        Args:
+            hash: An encoded hash as returned from :meth:`PasswordHasher.hash`.
 
-        :param password: The password to verify.
-        :type password: ``bytes`` or ``str``
+            password: The password to verify.
 
-        :raises argon2.exceptions.VerifyMismatchError: If verification fails
-            because *hash* is not valid for *password*.
-        :raises argon2.exceptions.VerificationError: If verification fails for
-            other reasons.
-        :raises argon2.exceptions.InvalidHashError: If *hash* is so clearly
-            invalid, that it couldn't be passed to Argon2.
+        Raises:
+            argon2.exceptions.VerifyMismatchError:
+                If verification fails because *hash* is not valid for
+                *password*.
 
-        :return: ``True`` on success, raise
-            :exc:`~argon2.exceptions.VerificationError` otherwise.
-        :rtype: bool
+            argon2.exceptions.VerificationError:
+                If verification fails for other reasons.
+
+            argon2.exceptions.InvalidHashError:
+                If *hash* is so clearly invalid, that it couldn't be passed to
+                Argon2.
+
+        Returns:
+            ``True`` on success, otherwise an exception is raised.
 
         .. versionchanged:: 16.1.0
             Raise :exc:`~argon2.exceptions.VerifyMismatchError` on mismatches
@@ -231,7 +259,7 @@ class PasswordHasher:
             hash, _ensure_bytes(password, self.encoding), hash_type
         )
 
-    def check_needs_rehash(self, hash: str) -> bool:
+    def check_needs_rehash(self, hash: str | bytes) -> bool:
         """
         Check whether *hash* was created using the instance's parameters.
 
@@ -244,8 +272,16 @@ class PasswordHasher:
         Therefore it's best practice to check -- and if necessary rehash --
         passwords after each successful authentication.
 
-        :rtype: bool
+        Args:
+            hash: An encoded Argon2 password hash.
+
+        Returns:
+            Whether *hash* was created using the instance's parameters.
 
         .. versionadded:: 18.2.0
+        .. versionchanged:: 24.1.0 Accepts bytes for *hash*.
         """
+        if isinstance(hash, bytes):
+            hash = hash.decode("ascii")
+
         return self._parameters != extract_parameters(hash)

src/argon2/_typing.py

@@ -1,15 +0,0 @@
-# SPDX-License-Identifier: MIT
-
-from __future__ import annotations
-
-import sys
-
-
-# try/except ImportError does NOT work.
-# c.f. https://github.com/python/mypy/issues/8520
-if sys.version_info >= (3, 8):
-    from typing import Literal
-else:
-    from typing_extensions import Literal
-
-__all__ = ["Literal"]

src/argon2/_utils.py

@@ -2,17 +2,19 @@
 
 from __future__ import annotations
 
-from dataclasses import dataclass
-from typing import Any
+import platform
+import sys
 
-from .exceptions import InvalidHashError
+from dataclasses import dataclass
+
+from .exceptions import InvalidHashError, UnsupportedParametersError
 from .low_level import Type
 
 
 NoneType = type(None)
 
 
-def _check_types(**kw: Any) -> str | None:
+def _check_types(**kw: tuple[object, type | tuple[type, ...]]) -> str | None:
     """
     Check each ``name: (value, types)`` in *kw*.
 
@@ -22,11 +24,11 @@ def _check_types(**kw: Any) -> str | None:
     for name, (value, types) in kw.items():
         if not isinstance(value, types):
             if isinstance(types, tuple):
-                types = ", or ".join(t.__name__ for t in types)
+                type_names = ", or ".join(t.__name__ for t in types)
             else:
-                types = types.__name__
+                type_names = types.__name__
             errors.append(
-                f"'{name}' must be a {types} (got {type(value).__name__})"
+                f"'{name}' must be a {type_names} (got {type(value).__name__})"
             )
 
     if errors != []:
@@ -35,6 +37,13 @@ def _check_types(**kw: Any) -> str | None:
     return None
 
 
+def _is_wasm() -> bool:
+    return sys.platform == "emscripten" or platform.machine() in [
+        "wasm32",
+        "wasm64",
+    ]
+
+
 def _decoded_str_len(length: int) -> int:
     """
     Compute how long an encoded string of length *l* becomes.
@@ -58,13 +67,20 @@ class Parameters:
 
     See :doc:`parameters` on how to pick them.
 
-    :ivar Type type: Hash type.
-    :ivar int version: Argon2 version.
-    :ivar int salt_len: Length of the salt in bytes.
-    :ivar int hash_len: Length of the hash in bytes.
-    :ivar int time_cost: Time cost in iterations.
-    :ivar int memory_cost: Memory cost in kibibytes.
-    :ivar int parallelism: Number of parallel threads.
+    Attributes:
+        type: Hash type.
+
+        version: Argon2 version.
+
+        salt_len: Length of the salt in bytes.
+
+        hash_len: Length of the hash in bytes.
+
+        time_cost: Time cost in iterations.
+
+        memory_cost: Memory cost in kibibytes.
+
+        parallelism: Number of parallel threads.
 
     .. versionadded:: 18.2.0
     """
@@ -78,13 +94,13 @@ class Parameters:
     parallelism: int
 
     __slots__ = (
-        "type",
-        "version",
-        "salt_len",
         "hash_len",
-        "time_cost",
         "memory_cost",
         "parallelism",
+        "salt_len",
+        "time_cost",
+        "type",
+        "version",
     )
 
 
@@ -96,9 +112,11 @@ def extract_parameters(hash: str) -> Parameters:
     """
     Extract parameters from an encoded *hash*.
 
-    :param str params: An encoded Argon2 hash string.
+    Args:
+        hash: An encoded Argon2 hash string.
 
-    :rtype: Parameters
+    Returns:
+        The parameters used to create the hash.
 
     .. versionadded:: 18.2.0
     """
@@ -138,3 +156,18 @@ def extract_parameters(hash: str) -> Parameters:
         memory_cost=kvs["m"],
         parallelism=kvs["p"],
     )
+
+
+def validate_params_for_platform(params: Parameters) -> None:
+    """
+    Validate *params* against current platform.
+
+    Args:
+        params: Parameters to be validated
+
+    Returns:
+       None
+    """
+    if _is_wasm() and params.parallelism != 1:
+        msg = "In WebAssembly environments `parallelism` must be 1."
+        raise UnsupportedParametersError(msg)

src/argon2/exceptions.py

@@ -46,6 +46,16 @@ class InvalidHashError(ValueError):
     """
 
 
+class UnsupportedParametersError(ValueError):
+    """
+    Raised if the current platform does not support the parameters.
+
+    For example, in WebAssembly parallelism must be set to 1.
+
+    .. versionadded:: 25.1.0
+    """
+
+
 InvalidHash = InvalidHashError
 """
 Deprecated alias for :class:`InvalidHashError`.

src/argon2/low_level.py

@@ -12,11 +12,10 @@ Low-level functions if you want to build your own higher level abstractions.
 from __future__ import annotations
 
 from enum import Enum
-from typing import Any
+from typing import Any, Literal
 
 from _argon2_cffi_bindings import ffi, lib
 
-from ._typing import Literal
 from .exceptions import HashingError, VerificationError, VerifyMismatchError
 
 
@@ -66,23 +65,27 @@ def hash_secret(
     An encoded hash can be directly passed into :func:`verify_secret` as it
     contains all parameters and the salt.
 
-    :param bytes secret: Secret to hash.
-    :param bytes salt: A salt_.  Should be random and different for each
-        secret.
-    :param Type type: Which Argon2 variant to use.
-    :param int version: Which Argon2 version to use.
+    Args:
+        secret: Secret to hash.
+
+        salt: A salt_. Should be random and different for each secret.
+
+        type: Which Argon2 variant to use.
+
+        version: Which Argon2 version to use.
 
     For an explanation of the Argon2 parameters see
     :class:`argon2.PasswordHasher`.
 
-    :rtype: bytes
+    Returns:
+        An encoded Argon2 hash.
 
-    :raises argon2.exceptions.HashingError: If hashing fails.
+    Raises:
+        argon2.exceptions.HashingError: If hashing fails.
 
     .. versionadded:: 16.0.0
 
     .. _salt: https://en.wikipedia.org/wiki/Salt_(cryptography)
-    .. _kibibytes: https://en.wikipedia.org/wiki/Binary_prefix#kibi
     """
     size = (
         lib.argon2_encodedlen(
@@ -161,20 +164,26 @@ def verify_secret(hash: bytes, secret: bytes, type: Type) -> Literal[True]:
     """
     Verify whether *secret* is correct for *hash* of *type*.
 
-    :param bytes hash: An encoded Argon2 hash as returned by
-        :func:`hash_secret`.
-    :param bytes secret: The secret to verify whether it matches the one
-        in *hash*.
-    :param Type type: Type for *hash*.
+    Args:
+        hash:
+            An encoded Argon2 hash as returned by :func:`hash_secret`.
 
-    :raises argon2.exceptions.VerifyMismatchError: If verification fails
-        because *hash* is not valid for *secret* of *type*.
-    :raises argon2.exceptions.VerificationError: If verification fails for
-        other reasons.
+        secret:
+            The secret to verify whether it matches the one in *hash*.
 
-    :return: ``True`` on success, raise
-        :exc:`~argon2.exceptions.VerificationError` otherwise.
-    :rtype: bool
+        type: Type for *hash*.
+
+    Raises:
+        argon2.exceptions.VerifyMismatchError:
+            If verification fails because *hash* is not valid for *secret* of
+            *type*.
+
+        argon2.exceptions.VerificationError:
+            If verification fails for other reasons.
+
+    Returns:
+        ``True`` on success, raise :exc:`~argon2.exceptions.VerificationError`
+        otherwise.
 
     .. versionadded:: 16.0.0
     .. versionchanged:: 16.1.0
@@ -211,13 +220,17 @@ def core(context: Any, type: int) -> int:
         Use at your own peril; *argon2-cffi* does *not* use this binding
         itself.
 
-    :param context: A CFFI Argon2 context object (i.e. an ``struct
-        Argon2_Context`` / ``argon2_context``).
-    :param int type: Which Argon2 variant to use.  You can use the ``value``
-        field of :class:`Type`'s fields.
+    Args:
+        context:
+            A CFFI Argon2 context object (i.e. an ``struct Argon2_Context`` /
+            ``argon2_context``).
 
-    :rtype: int
-    :return: An Argon2 error code.  Can be transformed into a string using
+        type:
+            Which Argon2 variant to use.  You can use the ``value`` field of
+            :class:`Type`'s fields.
+
+    Returns:
+        An Argon2 error code.  Can be transformed into a string using
         :func:`error_to_str`.
 
     .. versionadded:: 16.0.0
@@ -229,9 +242,11 @@ def error_to_str(error: int) -> str:
     """
     Convert an Argon2 error code into a native string.
 
-    :param int error: An Argon2 error code as returned by :func:`core`.
+    Args:
+        error: An Argon2 error code as returned by :func:`core`.
 
-    :rtype: str
+    Returns:
+        A human-readable string describing the error.
 
     .. versionadded:: 16.0.0
     """

src/argon2/profiles.py

@@ -11,10 +11,29 @@ concrete values and :doc:`parameters` for more information.
 
 from __future__ import annotations
 
-from ._utils import Parameters
+import dataclasses
+
+from ._utils import Parameters, _is_wasm
 from .low_level import Type
 
 
+def get_default_parameters() -> Parameters:
+    """
+    Create default parameters for current platform.
+
+    Returns:
+        Default, compatible, parameters for current platform.
+
+    .. versionadded:: 25.1.0
+    """
+    params = RFC_9106_LOW_MEMORY
+
+    if _is_wasm():
+        params = dataclasses.replace(params, parallelism=1)
+
+    return params
+
+
 # FIRST RECOMMENDED option per RFC 9106.
 RFC_9106_HIGH_MEMORY = Parameters(
     type=Type.ID,

tests/test_legacy.py

@@ -118,26 +118,27 @@ class TestHash:
 
         assert (
             # -1 for not NUL byte
-            int((DEFAULT_RANDOM_SALT_LENGTH << 2) / 3 + 2) - 1
-            == len(salt)
+            int((DEFAULT_RANDOM_SALT_LENGTH << 2) / 3 + 2) - 1 == len(salt)
         )
 
     def test_hash_wrong_arg_type(self):
         """
         Passing an argument of wrong type raises TypeError.
         """
-        with pytest.deprecated_call(
-            match="argon2.hash_password is deprecated"
-        ), pytest.raises(TypeError):
+        with (
+            pytest.deprecated_call(match="argon2.hash_password is deprecated"),
+            pytest.raises(TypeError),
+        ):
             hash_password("oh no, unicode!")
 
     def test_illegal_argon2_parameter(self):
         """
         Raises HashingError if hashing fails.
         """
-        with pytest.deprecated_call(
-            match="argon2.hash_password is deprecated"
-        ), pytest.raises(HashingError):
+        with (
+            pytest.deprecated_call(match="argon2.hash_password is deprecated"),
+            pytest.raises(HashingError),
+        ):
             hash_password(TEST_PASSWORD, memory_cost=1)
 
     @given(st.binary(max_size=128))
@@ -175,16 +176,22 @@ class TestVerify:
         """
         Given a valid hash and password and wrong type, we fail.
         """
-        with pytest.deprecated_call(
-            match="argon2.verify_password is deprecated"
-        ), pytest.raises(VerificationError):
+        with (
+            pytest.deprecated_call(
+                match="argon2.verify_password is deprecated"
+            ),
+            pytest.raises(VerificationError),
+        ):
             verify_password(TEST_HASH_I, TEST_PASSWORD, Type.D)
 
     def test_wrong_arg_type(self):
         """
         Passing an argument of wrong type raises TypeError.
         """
-        with pytest.deprecated_call(
-            match="argon2.verify_password is deprecated"
-        ), pytest.raises(TypeError):
+        with (
+            pytest.deprecated_call(
+                match="argon2.verify_password is deprecated"
+            ),
+            pytest.raises(TypeError),
+        ):
             verify_password(TEST_HASH_I, TEST_PASSWORD.decode("ascii"))

tests/test_low_level.py

@@ -95,11 +95,11 @@ TEST_PARALLELISM = 4
 TEST_HASH_LEN = 32
 
 i_and_d_encoded = pytest.mark.parametrize(
-    "type,hash",
+    ("type", "hash"),
     [(Type.I, TEST_HASH_I), (Type.D, TEST_HASH_D), (Type.ID, TEST_HASH_ID)],
 )
 i_and_d_raw = pytest.mark.parametrize(
-    "type,hash",
+    ("type", "hash"),
     [(Type.I, TEST_RAW_I), (Type.D, TEST_RAW_D), (Type.ID, TEST_RAW_ID)],
 )
 
@@ -185,13 +185,15 @@ class TestHash:
                 Type.I,
             )
 
-    @both_hash_funcs
-    @given(st.binary(max_size=128))
+    @given(
+        st.sampled_from((hash_secret, hash_secret_raw)),
+        st.binary(max_size=128),
+    )
     def test_hash_fast(self, func, secret):
         """
         Hash various secrets as cheaply as possible.
         """
-        hash_secret(
+        func(
             secret,
             salt=b"12345678",
             time_cost=1,

tests/test_packaging.py

@@ -1,18 +1,13 @@
 # SPDX-License-Identifier: MIT
 
-import sys
+
+from importlib import metadata
 
 import pytest
 
 import argon2
 
 
-if sys.version_info < (3, 8):
-    import importlib_metadata as metadata
-else:
-    from importlib import metadata
-
-
 class TestLegacyMetadataHack:
     def test_version(self):
         """

tests/test_password_hasher.py

@@ -1,10 +1,22 @@
 # SPDX-License-Identifier: MIT
 
+import secrets
+import sys
+import threading
+
+from concurrent.futures import ThreadPoolExecutor
+from unittest import mock
+
 import pytest
 
 from argon2 import PasswordHasher, Type, extract_parameters, profiles
 from argon2._password_hasher import _ensure_bytes
-from argon2.exceptions import InvalidHash, InvalidHashError
+from argon2._utils import Parameters
+from argon2.exceptions import (
+    InvalidHash,
+    InvalidHashError,
+    UnsupportedParametersError,
+)
 
 
 class TestEnsureBytes:
@@ -51,13 +63,13 @@ class TestPasswordHasher:
         assert isinstance(h, str)
         assert h[: len(prefix)] == prefix
 
-    def test_custom_salt(self, password=b"password"):
+    def test_custom_salt(self):
         """
         A custom salt can be specified.
         """
         ph = PasswordHasher.from_parameters(profiles.CHEAPEST)
 
-        h = ph.hash(password, salt=b"1234567890123456")
+        h = ph.hash(b"password", salt=b"1234567890123456")
 
         assert h == (
             "$argon2id$v=19$m=8,t=1,p=1$MTIzNDU2Nzg5MDEyMzQ1Ng$maTa5w"
@@ -109,22 +121,32 @@ class TestPasswordHasher:
         with pytest.raises(InvalidHash):
             PasswordHasher().verify("tiger", "does not matter")
 
-    def test_check_needs_rehash_no(self):
+    @pytest.mark.parametrize("use_bytes", [True, False])
+    def test_check_needs_rehash_no(self, use_bytes):
         """
         Return False if the hash has the correct parameters.
         """
         ph = PasswordHasher(1, 8, 1, 16, 16)
 
-        assert not ph.check_needs_rehash(ph.hash("foo"))
+        hash = ph.hash("foo")
+        if use_bytes:
+            hash = hash.encode()
 
-    def test_check_needs_rehash_yes(self):
+        assert not ph.check_needs_rehash(hash)
+
+    @pytest.mark.parametrize("use_bytes", [True, False])
+    def test_check_needs_rehash_yes(self, use_bytes):
         """
         Return True if any of the parameters changes.
         """
         ph = PasswordHasher(1, 8, 1, 16, 16)
         ph_old = PasswordHasher(1, 8, 1, 8, 8)
 
-        assert ph.check_needs_rehash(ph_old.hash("foo"))
+        hash = ph_old.hash("foo")
+        if use_bytes:
+            hash = hash.encode()
+
+        assert ph.check_needs_rehash(hash)
 
     def test_type_is_configurable(self):
         """
@@ -141,3 +163,74 @@ class TestPasswordHasher:
         assert Type.I is ph.type is ph._parameters.type
         assert Type.I is extract_parameters(ph.hash("foo")).type
         assert ph.check_needs_rehash(default_hash)
+
+    @mock.patch("sys.platform", "emscripten")
+    @pytest.mark.parametrize("machine", ["wasm32", "wasm64"])
+    def test_params_on_wasm(self, machine):
+        """
+        Parameter validation catches invalid parameters on WebAssembly.
+        """
+        with mock.patch("platform.machine", return_value=machine):
+            with pytest.raises(
+                UnsupportedParametersError,
+                match="In WebAssembly environments `parallelism` must be 1",
+            ):
+                PasswordHasher(parallelism=2)
+
+            # last param is parallelism so it should fail
+            params = Parameters(Type.I, 2, 8, 8, 3, 256, 8)
+            with pytest.raises(
+                UnsupportedParametersError,
+                match="In WebAssembly environments `parallelism` must be 1",
+            ):
+                ph = PasswordHasher.from_parameters(params)
+
+            # explicitly correct parameters
+            ph = PasswordHasher(parallelism=1)
+
+            hash = ph.hash("hello")
+
+            assert ph.verify(hash, "hello") is True
+
+            # explicit, but still default parameters
+            default_params = profiles.get_default_parameters()
+            ph = PasswordHasher.from_parameters(default_params)
+
+            hash = ph.hash("hello")
+
+            assert ph.verify(hash, "hello") is True
+
+
+def test_multithreaded_hashing():
+    """
+    Hash passwords in a thread pool and check for thread safety
+    """
+    hasher = PasswordHasher(parallelism=2)
+
+    num_passwords = 100
+
+    passwords = [secrets.token_urlsafe(15) for _ in range(num_passwords)]
+
+    def closure(b, passwords):
+        b.wait()
+        for password in passwords:
+            assert hasher.verify(hasher.hash(password), password)
+
+    max_workers = 4
+
+    chunks = [passwords[i::max_workers] for i in range(max_workers)]
+    orig_interval = sys.getswitchinterval()
+
+    with ThreadPoolExecutor(max_workers=max_workers) as tpe:
+        barrier = threading.Barrier(max_workers)
+        futures = []
+        try:
+            sys.setswitchinterval(0.00001)
+            for chunk in chunks:
+                futures.append(tpe.submit(closure, barrier, chunk))  # noqa: PERF401
+        finally:
+            sys.setswitchinterval(orig_interval)
+            if len(futures) < max_workers:
+                barrier.abort()
+        for f in futures:
+            f.result()

tests/typing/api.py

@@ -15,3 +15,5 @@ ph.verify("hash", b"pw")
 
 if ph.check_needs_rehash("hash") is True:
     ...
+
+params: argon2.Parameters = argon2.profiles.get_default_parameters()

tox.ini

@@ -1,21 +1,21 @@
 [tox]
-min_version = 4
+min_version = 4.25
 env_list =
     pre-commit,
-    mypy-pkg,
-    py3{7,8,9,10,11,12}-{tests,mypy}
-    py311-bindings-main,
+    py3{9-14}-{tests,mypy},
+    py314t-tests,
+    py314-tests-{bindings-main,system-argon2},
     pypy3-tests,
-    system-argon2,
-    docs,
-    coverage-report
+    typing-{pyright,ty,pyrefly,mypy}
+    docs-doctests,
+    coverage-{combine,report}
 
 
 [testenv]
-description = Run tests and do NOT measure coverage / type-check.
+description = Run tests / check types and do NOT measure coverage.
 package = wheel
 wheel_build_env = .pkg
-extras =
+dependency_groups =
     tests: tests
     mypy: typing
 pass_env =
@@ -27,83 +27,97 @@ commands =
     mypy: mypy tests/typing
 
 
-[testenv:py3{7,11}-tests]
+[testenv:py3{9,14}-tests]
+# Keep coverage-combine's depends with the versions.
 description = Run tests and measure coverage.
-deps =
-    coverage[toml]
+deps = coverage[toml]
 commands =
     coverage run -m pytest {posargs}
     coverage run -m argon2 -n 1 -t 1 -m 8 -p 1
     coverage run -m argon2 --profile CHEAPEST
 
 
-[testenv:coverage-report]
-description = Report coverage over all test runs.
+# Split combine/report in 2 to avoid excessive "Combined data file ..." output.
+[testenv:coverage-combine]
+# Keep base_python in-sync with .python-version-default
+base_python = py313
+# Keep in-sync with test env definition above.
+depends = py3{9,14}-tests
 skip_install = true
-depends = py3{7,11}
-deps = coverage[toml]
-parallel_show_output = true
-commands =
-    coverage combine
-    coverage report
+deps = coverage
+commands = coverage combine
 
+[testenv:coverage-report]
+description = Report coverage over oldest and latest supported Python
+# Keep base_python in-sync with .python-version-default
+base_python = py313
+skip_install = true
+depends = coverage-combine
+deps = coverage
+parallel_show_output = true
+commands = coverage report
 
 [testenv:system-argon2]
 description = Run tests against bindings that use a system installation of Argon2.
 set_env = ARGON2_CFFI_USE_SYSTEM=1
 install_command = pip install {opts} --no-binary=argon2-cffi-bindings {packages}
 
-
-[testenv:py311-bindings-main]
+[testenv:py312-bindings-main]
 description = Run tests against the current main branch of argon2-cffi-bindings
-extras =
+dependency_groups =
 deps =
-install_command = pip install {opts} --no-deps {packages}
 commands_pre = pip install -I hypothesis pytest git+https://github.com/hynek/argon2-cffi-bindings
+install_command = pip install {opts} --no-deps {packages}
 
 
 [testenv:pre-commit]
 description = Run all pre-commit hooks.
 skip_install = true
-deps = pre-commit
+deps = pre-commit-uv
 commands = pre-commit run --all-files
 
 
-[testenv:pyright]
-# Install and configure node and pyright
-# Use nodeenv to configure node in the running tox virtual environment
-# Seeing errors using "nodeenv -p"
-# Use npm install -g to install "globally" into the virtual environment
-# Does not run by default locally because it's slow.
-deps = nodeenv
-extras = typing
-commands_pre =
-    nodeenv --prebuilt --node=lts --force {envdir}
-    npm install -g --no-package-lock --no-save pyright
-    pyright --version
-commands = pyright tests/typing src
-
-
-[testenv:mypy-pkg]
-description = Check own code.
+[testenv:typing-mypy]
+description = Check own code with Mypyy.
+# Keep base_python in-sync with .python-version-default
+base_python = py313
 deps = mypy
+dependency_groups = typing
 commands = mypy src
 
+[testenv:typing-pyright]
+description = Check API and own code with Pyright
+deps = pyright
+dependency_groups = typing
+commands = pyright src tests/typing
 
-[testenv:docs]
-description = Build docs and run doctests.
-# Keep base_python in-sync with .readthedocs.yaml and ci.yml/docs.
-base_python = py311
-extras = docs
+[testenv:typing-ty]
+description = Check API with ty
+deps = ty
+dependency_groups = typing
+commands = ty check src tests/typing
+
+[testenv:typing-pyrefly]
+description = Check API with pyrefly
+deps = pyrefly
+dependency_groups = typing
+commands = pyrefly check src tests/typing
+
+
+[testenv:docs-{build,doctests,linkcheck}]
+# Keep base_python in sync with .readthedocs.yaml.
+base_python = py313
+dependency_groups = docs
 commands =
-    python -Im doctest README.md
-    sphinx-build -W -n -b html -d {envtmpdir}/doctrees docs docs/_build/html
-    sphinx-build -W -n -b doctest -d {envtmpdir}/doctrees docs docs/_build/html
+    build: sphinx-build -n -T -W -b html -d {envtmpdir}/doctrees docs {posargs:docs/_build/}html
+    doctests: python -m doctest README.md
+    doctests: sphinx-build -n -T -W -b doctest -d {envtmpdir}/doctrees docs {posargs:docs/_build/}html
+    linkcheck: sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees docs docs/_build/html
 
 [testenv:docs-watch]
 package = editable
-base_python = {[testenv:docs]base_python}
-extras = {[testenv:docs]extras}
+base_python = {[testenv:docs-build]base_python}
+dependency_groups = {[testenv:docs-build]dependency_groups}
 deps = watchfiles
 commands =
     watchfiles \
@@ -116,5 +130,5 @@ commands =
 
 [testenv:docs-linkcheck]
 base_python = {[testenv:docs]base_python}
-extras = {[testenv:docs]extras}
+dependency_groups = {[testenv:docs]dependency_groups}
 commands = sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees docs docs/_build/html