Installation
Package Overview
Sentinel Password ships four packages — pick the one(s) that match what you're building:
| Package | Gzipped (ESM) | Raw (ESM) | Runtime deps | Peer deps |
|---|---|---|---|---|
@sentinel-password/core | ~5.4 KB | ~15.8 KB | none | none |
@sentinel-password/react | ~0.7 KB | ~2.5 KB | @sentinel-password/core (installed transitively) | React 18 or 19 |
@sentinel-password/react-components | ~1.7 KB | ~6.0 KB | @sentinel-password/core (installed transitively) | React 18 or 19, React DOM 18 or 19 |
@sentinel-password/entropy | ~28 KB | ~53 KB | none | none |
@sentinel-password/core— zero-dependency validation engine. Use directly with vanilla JS, Node, Deno, Bun, or any framework.@sentinel-password/react—usePasswordValidatorhook with debouncing and state management.@sentinel-password/react-components— headless, accessiblePasswordInputcomponent.@sentinel-password/entropy— optional Shannon entropy + crack-time estimator. Standalone, not bundled with core. Use alongside core when you need a "how long would it survive an offline attack?" signal in addition to rule-based validity.
Sizes are the ESM build measured at the time of this release; CJS is slightly larger. Runtime deps install automatically with your package-manager command — you only ever need to
npm installthe package you're using. Peer deps are bring-your-own.
Installation Methods
npm
npm install @sentinel-password/corenpm install @sentinel-password/reactnpm install @sentinel-password/react-componentsnpm install @sentinel-password/entropypnpm
pnpm add @sentinel-password/corepnpm add @sentinel-password/reactpnpm add @sentinel-password/react-componentspnpm add @sentinel-password/entropyyarn
yarn add @sentinel-password/coreyarn add @sentinel-password/reactyarn add @sentinel-password/react-componentsyarn add @sentinel-password/entropybun
bun add @sentinel-password/corebun add @sentinel-password/reactbun add @sentinel-password/react-componentsbun add @sentinel-password/entropyRequirements
Core Package
- No runtime dependencies
- Works with any JavaScript environment (Node.js, browsers, Deno, Bun)
- TypeScript 6+ for development (root devDep is
typescript: ^6.0.3)
React Packages
- React 18 or 19 (peer range:
^18.0.0 || ^19.0.0) - React DOM 18 or 19 (same range, required only for
@sentinel-password/react-components)
TypeScript Support
All packages are written in TypeScript and include full type definitions:
import type {
ValidationResult,
ValidatorOptions,
StrengthScore,
StrengthLabel,
} from '@sentinel-password/core'
import type {
UsePasswordValidatorOptions,
UsePasswordValidatorReturn,
} from '@sentinel-password/react'
import type {
PasswordInputProps,
ValidationMessage,
} from '@sentinel-password/react-components'
import type {
EntropyOptions,
EntropyResult,
EntropyPattern,
CrackTimePresets,
} from '@sentinel-password/entropy'Module Formats
All packages support both ESM and CommonJS:
// ESM
import { validatePassword } from '@sentinel-password/core'
// CommonJS
const { validatePassword } = require('@sentinel-password/core')CDN Usage
For quick prototyping, you can use a CDN:
<!-- ESM -->
<script type="module">
import { validatePassword } from 'https://esm.sh/@sentinel-password/core'
const result = validatePassword('password123', { minLength: 8 })
console.log(result.valid, result.strength)
</script>WARNING
CDN usage is not recommended for production. Always install packages via npm for better performance and caching.
Verify Installation
After installation, verify everything works:
import { validatePassword } from '@sentinel-password/core'
const result = validatePassword('Test-Pa55word!', { minLength: 8 })
console.log(result.valid) // true
console.log(result.strength) // 'very-strong'Why not Test1234!?
The 1234 sequence trips the sequential + keyboard-pattern detectors even though every other check passes — valid comes back false with strength: 'strong'. The validator's job is to catch exactly these "looks fine, isn't" passwords.