grunt-sri
Advanced tools
Readme
This tool generates a JSON manifest of file hashes & sub-resource integrity data.
npm install --save-dev grunt-sri
Add the following to your Gruntfile.js:
module.exports = function (grunt) {
"use strict";
grunt.loadNpmTasks("grunt-sri");
grunt.initConfig({
"sri": {
// Use the default settings for *everything* in ./public/css
"bobsDefaultTask": {
"src": [
"public/**/*.css"
]
},
// Create a second manifest with custom settings
"janesCustomTask": {
"options": {
"algorithms": ["sha256"],
"dest": "./public/sri-directives.json",
"targetProp": "payload"
},
"files": [
{
src: "public/css/example.css",
type: "text/css",
id: "cssfile1"
},
{
src: "public/css/other.css"
}
]
}
}
});
grunt.registerTask("default", ["sri"]);
};
Run the command grunt. The manifest file will be created.
"./payload.json"false (overwrite)["sha256", "sha512"]nullfalseMetadata is stored in JSON format.
./payload.json.Example:
{
"@cssfile1": {
"path": "public/css/example.css",
"type": "text/css",
"integrity": "type:text/css sha256-XXXX sha512-XXXXXXXX",
"hashes": {
"sha256": "XXXX",
"sha512": "XXXXXXXX"
}
}
}
Data from the manifest can be loaded into markup.
Use the integrity property for SRI integrity attributes, a hash from hashes as a URL parameter for client-side caching, etc.
// In production, consider compiling JSON to PHP assoc arrays
$payload = json_decode(file_get_contents("./payload.json"), true);
$sri = function (id) {
return $payload["payload"][id];
}
$element = "<link
href='/style.css?cache={ sri("@cssfile1")["hashes"]["sha256"] }'
integrity='{ $sri("@cssfile1")["integrity"] }'
rel='stylesheet'>";
Note: Node apps should use subresource or handlebars-helper-sri, which don't require a build step.
// ES6
var payload = require("./payload.json");
var sri = (id) => payload.payload[id];
var element = `<link
href='/style.css?cache=${ sri("@cssfile1").hashes.sha256 }'
integrity='${ sri("@cssfile1").integrity }'
rel='stylesheet'>`;
This tool follows SemVer from v0.1.0, as SRI is now a W3C recommendation.
Changes to the V1 SRI spec will be tracked with minor releases.
FAQs
Client-side caching & SRI generation for Grunt
We found that grunt-sri demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.