New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details →
Socket
Book a DemoSign in
Socket
Book a DemoSign in

gulp-sri-php

Package Overview
Dependencies
Maintainers
1
Versions
12
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

gulp-sri-php

Scan PHP files in Gulp and process script and stylesheet tags to add SRI attributes

latest
Source
npmnpm
Version
1.3.2
Version published
Maintainers
1
Created
Source

Description

Scan PHP (or other HTML-based) files in Gulp and process script and stylesheet tags to add Sub-Resource Integrity (SRI) attributes.

I tried other plugins, but found the following issues...

  • gulp-sri-hash - uses Cheerio, which expects HTML and fails on PHP tags
  • gulp-srizer - requires OpenSSL and doesn't work on Windows (uses 'cat')
  • gulp-sri - creates a JSON file with hashes but doesn't update the files inline

For these reasons, I decided to write my own.

This plugin doesn't worry about non-HTML tags (such as PHP), it uses the built in crypto module, and it updates the HTML tags that it finds as it goes. It also allows for multiple algorithms to be specified, which is pretty cool.

Tags will be ignored for the following reasons...

  • It already has an "integrity" attribute
  • It has an absolute reference (eg. starting http(s)://)
  • It's so mangled that the file path cannot be determined

Just to clarify, this plugin isn't specifically for PHP files, but will work with HTML tags in any file, such as a PHP file, without worrying about the non-HTML parts.

Status

NPM Version Stability Dependencies Development Dependencies Build Status Coverage Status

Requirements

  • Gulp - v3.9.1 or newer

Install

npm install gulp-sri-php --save-dev

Examples

  • gulpfile.js
  var gulp = require("gulp");
  var pump = require("pump");
  var sri = require("gulp-sri-php");
  var phpFiles = ["index.php"];

  gulp.task("php",function(cb) {
    pump([
      gulp.src(phpFiles),
      sri({verbose:true,algorithm:"sha384"}),
      gulp.dest("build")
    ],cb);
  });
  • index.php (before)
  <!DOCTYPE html>
  <html lang="en-gb">
    <head>
      <title>gulp-sri-php</title>
      <link rel="stylesheet" href="css/style.css">
      <script src="js/script.js" defer></script>
    </head>
    <body>
      <!-- etc -->
    </body>
  </html>
  • index.php (after)
  <!DOCTYPE html>
  <html lang="en-gb">
    <head>
      <title>gulp-sri-php</title>
      <link rel="stylesheet" href="css/style.css" integrity="sha384-54Zl+ll6X3PdHPKfBjEU8TtSZc29x/y3anYm06KOlBpMAZcRS9Zw4YwloXptTN0n" crossorigin="anonymous">
      <script src="js/script.js" defer integrity="sha384-1hPB2dkVqfc4TsrWjuj7Ot6EjZpPCT8SXkMPcFVS72GywaLYlgGGC21Bden2FYc0" crossorigin="anonymous"></script>
    </head>
    <body>
      <!-- etc -->
    </body>
  </html>

Configuration options

  • algorithm: The hashing algorithm(s) you want to use (string or array - default: ["sha256","sha384","sha512"])
  • verbose: Will output additional messages to the console (boolean - default: false)

Treat me to a beer!

PayPal

Keywords

gulp
html
sri
php
hash
gulpplugin

FAQs

Package last updated on 06 Apr 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Security News

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

By Sarah Gooding  -  Apr 03, 2026