npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

gulp-sri-hash

v2.2.1

Published

Gulp plugin for adding Sub-Resource-Integrity (SRI) hashes in-place to asset links found in HTML files.

Downloads

1,144

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

macedigitalmacedigital

Keywords

gulppluginsrisub-resource-integrity

Readme

gulp-sri-hash

Greenkeeper badge

NPM Version Dependency Status Build Status Build Status Code Coverage status

Adds Subresource Integrity (SRI) hashes to HTML files.

It does so, by parsing the contents of passed in HTML files with cheerio, looking for <link rel=stylesheet href=URL> and <script src=URL> DOM-nodes, computing checksums for found referenced files, and adding integrity=<HASH> attributes in-place to respective DOM-nodes.

Inspiration for this plugin came from working with static site generators.

For an alternative approach, have a look at the gulp-sri plugin.

Installation

Install package with NPM and add it to your development dependencies:

npm install gulp-sri-hash --save-dev

Usage

const sriHash = require('gulp-sri-hash');

gulp.task('sri', () => {
  return gulp.src('./**/*.html')
    // do not modify contents of any referenced css- and js-files after this task...
    .pipe(sriHash())
    // ... manipulating html files further, is perfectly fine
    .pipe(gulp.dest('./dist/'));
});

This will look for css and js file references contained in all html-files, calculate SRI-hashes for those files, and add integrity=<HASH> attributes for those references.

Referenced css- and js-files must be accessible from the local filesystem. In order to calculate correct hashes, style and script files should not be modified any further by build steps running later.

Line Endings:

Content hashing is sensitive to differences in line-endings. On Windows, the default is CRLF, whereas (all?) other Operating Systems default to LF. You're good, as long the files use the same end-of-line sequence locally as well as on the server that delivers those asset files. On the other hand, a change of line-endings after content hashing will cause a file checksum mismatch.

API

algo (optional)

  • Type: String
  • Default: sha384
  • Since: v1.0.0

Select hashing algorithm. Supported algorithms: sha256, sha384, and sha512.

prefix (optional)

  • Type: String
  • Default: ''
  • Since: v1.1.0

Strips string from beginning of referenced URI in HTML files. Useful if references do not match directory structure or already contain CDN hostname.

selector (optional)

  • Type: String
  • Default: link[href][rel=stylesheet]:not([integrity]), script[src]:not([integrity])
  • Since: v1.1.0

Only look for nodes matching this custom (jQuery-style) selector.

relative (optional)

  • Type: Boolean
  • Default: false
  • Since: v1.2.0

Controls whether referenced files should be resolved relative to a base folder, or relative to the location of the HTML file.

Inspired by https://github.com/macedigital/gulp-sri-hash/pull/1.

cacheParser (optional)

  • Type: Boolean
  • Default: false
  • Since: v2.2.0

Controls whether to permit cached cheerio instances, e.g. when using gulp-cheerio in a previous build step. Be careful when enabling this feature as it can have unintended side-effects.

Example

Following snippet shows all options in action:

  // ...
  .pipe(sriHash({
    algo: 'sha512',         // use strong hashing
    prefix: '/assets',      // no trailing slash
    selector: 'link[href]', // limit selector
    relative: true          // assets reside relative to html file
  }))
  // ...

Changelog

Since v2.0.0:

Require a peer-dependency of gulp 4.x and drop support for nodejs 4.x which reached its End-of-Life on April 30th 2018.

Since v1.4.0:

Querystring-like components in file paths are ignored when resolving local files. As an example, the given string /folder/style.css?v=somehash will resolve to local file /folder/style.css.

Since v1.3.0:

A crossorigin=anonymous attribute will be added to all updated DOM nodes, unless the attribute has been already been set to value use-credentials. In the latter case the crossorigin attribute is left unchanged.

LICENSE

MIT License