From a quick look at the PR is looks like users will be upgraded on first successful login after the deployment. You may find yourself with old style passwords hanging around in your database for a long time for people who don’t log in regularly.
An approach I used in a similar situation a while back is to use
argon2 with the currently stored
sha1 hash and save that result. Validation of older passwords becomes (simplifying a little here)L
This gives the same level of protection as direct
argon2 in the event of a data leak. It does add a little complexity in validating older passwords, but depending on the situation it may be worth it. You can then either store a flag so you know what type of comparison to make, or fall back to assuming it’s been
sha1 encoded first in the event of a failure. Though I would favour the flag method. Still upgrade them to direct
argon2 when a successful authentication happes for consistency.
You can apply this if and when you need it later on. Just something you may want to consider if you haven’t already.