Skip to content

Commit 8d765dc

Browse files
committed
validate(no-cdn-refs): file-level allowlist for build-side CDN tooling
Two files in this repo legitimately reference CDN domains as data: scripts/walkthrough.mts — emits SRI + CSP hashes for CDN scripts scripts/audit-deps.mts — scans generated HTML for unpkg specifiers Both inspect, hash, and rewrite CDN references at build time so the walkthrough can ship them with integrity + CSP enforcement. The rule's intent ("no accidental CDN runtime dependencies") doesn't apply — these are the scanner/rewriter. Move the self-skip into a named ALLOWED_FILES list and add the two files there. No behavior change for any file outside the list. The val code, shim JS/CSS, configs, and tests are still linted as before.
1 parent ccb3088 commit 8d765dc

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

scripts/validate/no-cdn-refs.mts

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -134,11 +134,24 @@ async function findTextFiles(
134134
/**
135135
* Check file contents for CDN references.
136136
*/
137+
// Files that legitimately reference CDN domains as data (regex
138+
// patterns, URL-extraction helpers, doc comments explaining which
139+
// CDN the code is built to handle). These aren't runtime loads — they
140+
// are the build-side tooling that inspects, fetches, hashes, and
141+
// rewrites CDN URLs for SRI + CSP enforcement. The validator's intent
142+
// ("no accidental CDN runtime dependencies") doesn't apply here.
143+
const ALLOWED_FILES = [
144+
/no-cdn-refs\.(m?[jt]s|cjs)$/, // self-skip
145+
// Build tooling for the walkthrough pilot — these files enumerate,
146+
// fetch, hash, and rewrite CDN references so they can ship with
147+
// integrity + CSP hashes. Any CDN reference in them is in the
148+
// scanner/rewriter, not a runtime dependency.
149+
/scripts[\\/]walkthrough\.mts$/,
150+
/scripts[\\/]audit-deps\.mts$/,
151+
]
152+
137153
async function checkFileForCdnRefs(filePath: string): Promise<CdnViolation[]> {
138-
// Skip this validator script itself (it mentions CDN domains by
139-
// necessity). Match any module extension — historically this was
140-
// .mjs, now it's .mts.
141-
if (/no-cdn-refs\.(m?[jt]s|cjs)$/.test(filePath)) {
154+
if (ALLOWED_FILES.some(re => re.test(filePath))) {
142155
return []
143156
}
144157

0 commit comments

Comments
 (0)