jonaskruckenberg / rollup-plugin-sri Goto Github PK
View Code? Open in Web Editor NEWAdd subresource integrity tags to all your html files 🔒
License: MIT License
Add subresource integrity tags to all your html files 🔒
License: MIT License
master
branch failed. 🚨I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.
You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.
Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.
Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master
branch. You can also manually restart the failed CI job that runs semantic-release.
If you are not sure how to resolve this, here is some links that can help you:
If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.
The npm token configured in the NPM_TOKEN
environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/
.
If you are using Two-Factor Authentication, make configure the auth-only
level is supported. semantic-release cannot publish with the default auth-and-writes
level.
Please make sure to set the NPM_TOKEN
environment variable in your CI with the exact value of the npm token.
Good luck with your project ✨
Your semantic-release bot 📦🚀
One particularly useful option I think would be to allow node_modules
paths (e.g., <script src="./node_modules/jquery/dist/jquery.min.js"></script>
) to be mapped to CDN paths.
For example, one might be able to supply options like this (using named capturing groups):
{
cdns: [
// When `version` is not present, it will be set to the magical value as determined by the
// version of the `name` (here `jquery`) found in `package.json` deps. or devDeps.
{
find: './node_modules/(?<name>jquery)/dist/jquery(?<extension>\\.\\S+)',
replace: 'https://code.jquery.com/jquery-$<version>$<extension>'
},
// The asterisk here is used for any modules not specified
// When just a string (instead of a find/replace object), will act as `replace`, using this
// default `find`:
// find: './node_modules/(?<name>[^/]*)/(?<path>[^\'"]*)'
{'*': 'https://unpkg.com/$<name>@$<version>/$<path>'},
]
}
Some common CDNs like the above could by accessible by shorthand instead (shorthand keys as well as replacement values):
{
cdns: {
'*': 'unpkg',
'jquery': 'jquery'
}
}
The above could take:
<script src="./node_modules/jquery/dist/jquery.slim.min.js"></script>
<script src="./node_modules/leaflet/dist/leaflet.js"></script>
and convert it to:
<script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="..." crossorigin="..."></script>
<script src="https://unpkg.com/[email protected]/dist/leaflet.js" integrity="..." crossorigin="..."></script>
These could also optionally build local fallback after the CDN script (the export name could be used to set window.jQuery
here):
<script>
window.jQuery || document.write(
decodeURI('%3Cscript src="./node_modules/jquery/dist/jquery.slim.min.js"%3E%3C/script%3E')
)
</script>
master
branch failed. 🚨I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.
You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.
Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.
Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master
branch. You can also manually restart the failed CI job that runs semantic-release.
If you are not sure how to resolve this, here is some links that can help you:
If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.
An npm token must be created and set in the NPM_TOKEN
environment variable on your CI environment.
Please make sure to create an npm token and to set it in the NPM_TOKEN
environment variable on your CI environment. The token must allow to publish to the registry https://registry.npmjs.org/
.
Good luck with your project ✨
Your semantic-release bot 📦🚀
I created this plugin as a useful tool for my own website a couple years ago now, I have also stopped updating it a couple years ago. It has been a fun project to build at the time, but it has stopped serving my and I frankly have no time to update it.
This is why in 2 Weeks, November 30th 2022 I will archive this repository. After that point no updates will happen ever again, and issues and PRs can not be created anymore. The releases will remain on rpm of course, so existing projects will not be broken by this.
If you use this plugin on a regular basis and want to maintain it, please let me know!
Otherwise I'll see you around,
Jonas
Hi there,
First off, thank you for making and sharing this :)
I’ve been trying to get the plugin to work with Vite but it doesn’t seem to have an affect.
Thoughts? Should I open this issue in Vite instead?
vanilla
for template to create the simplest possible appcd vite-sri-test
npm i
npm run build
and note the index.html
file output in dist/
:<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/assets/favicon.17e50649.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Vite App</title>
<script type="module" crossorigin src="/assets/index.b2293eba.js"></script>
<link rel="stylesheet" href="/assets/index.ccce2ca3.css">
</head>
<body>
<div id="app"></div>
</body>
</html>
npm i rollup-plugin-sri
vite.config.js
with the following content:import sri from 'rollup-plugin-sri'
import { defineConfig } from 'vite'
export default defineConfig({
plugins: [sri()]
})
npm run build
and note the index.html
file output in dist/
:<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/assets/favicon.17e50649.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Vite App</title>
<script type="module" crossorigin src="/assets/index.b2293eba.js"></script>
<link rel="stylesheet" href="/assets/index.ccce2ca3.css">
</head>
<body>
<div id="app"></div>
</body>
</html>
@rollup/plugin-html
and try with that (npm i @rollup/plugin-html
+ add the import line (import html from '@rollup/plugin-html'
and change plugins: [sri()]
to plugins: [html(), sri()
) and try npm run build
again. Note the output:<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/assets/favicon.17e50649.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Vite App</title>
<script type="module" crossorigin src="/assets/index.b2293eba.js"></script>
<link rel="stylesheet" href="/assets/index.ccce2ca3.css">
</head>
<body>
<div id="app"></div>
</body>
</html>
build.rollupOptions.plugins
instead and note the resulting HTML (this time it’s different but still doesn’t include the integrity hashes):<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Rollup Bundle</title>
<link href="assets/index.ccce2ca3.css" rel="stylesheet">
</head>
<body>
<script src="assets/index.b2293eba.js" type="module"></script>
</body>
</html>
Integrity hashes should be included
Integrity hashes are not included
This output from Vite could be related:
rendering chunks (1)...The emitted file "index.html" overwrites a previously emitted file of the same name.
Version of Vite: 2.1.4
Version of rollup-plugin-sri: 1.2.7
Version of @rollup/plugin-html: 0.2.3
Since I am not updating my application that frequently (but external sources might), I would like to only run this plugin on bundled assets.
It seems like only the following case needs to be skipped:
https://github.com/JonasKruckenberg/rollup-plugin-sri/blob/master/index.ts#L84-L85
If you don't have the time right now, I can try to make a PR on my own.
Hi,
Thanks for what looks like an incredibly useful plugin!
I assume someone has to use something like @rollup/plugin-html
, as I see no docs on Rollup itself that indicate it can process HTML on its own. I'd think that should be really helpful to include in the example (and explain as needed). Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.