Skip to content

fix: omit integrity hashes for local vendor plugins#964

Merged
stevenjoezhang merged 1 commit into
next-theme:masterfrom
pivaldi:fix/local-sri
Jun 27, 2026
Merged

fix: omit integrity hashes for local vendor plugins#964
stevenjoezhang merged 1 commit into
next-theme:masterfrom
pivaldi:fix/local-sri

Conversation

@pivaldi

@pivaldi pivaldi commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

fix: omit SRI for local vendor assets

Problem

When vendors.plugins: local, the theme emits the hardcoded integrity
hashes from _vendors.yml on self-hosted vendor <link>/<script> tags.
Those hashes are computed for the CDN builds. As soon as the locally
bundled files differ byte-for-byte from the CDN build the hash was computed
for. For example when the vendor library is updated independently of the theme,
the browser's Subresource Integrity check fails, blocks every vendor asset,
and the page renders blank.

Fix

Subresource Integrity only adds value for cross-origin CDN assets, where
it protects against a compromised third party. Self-hosted (local) files are
served same-origin, so SRI provides little benefit there and is exactly what
breaks.

So in local mode we simply drop integrity (and crossorigin) instead
of carrying a hash that can mismatch:

     vendors[key] = {
       url      : links[plugins] || links.cdnjs,
-      integrity: value.integrity
+      integrity: plugins === 'local' ? undefined : value.integrity
     };

The next_vendors helper already omits both attributes when the hash is
absent, so no other change is needed. CDN modes are unaffected — they keep
using the hardcoded _vendors.yml hashes.

Notes

Testing

  • vendors.plugins: local with vendor versions that differ from the CDN
    hashes: assets now load (previously blank page); generated tags carry no
    integrity/crossorigin.
  • vendors.plugins: cdnjs (and other CDN providers): unchanged — integrity
    and crossorigin still emitted from _vendors.yml.

@CLAassistant

CLAassistant commented Jun 27, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28303488568

Coverage remained the same at 97.451%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 405
Covered Lines: 400
Line Coverage: 98.77%
Relevant Branches: 105
Covered Branches: 97
Branch Coverage: 92.38%
Branches in Coverage %: Yes
Coverage Strength: 3.63 hits per line

💛 - Coveralls

@stevenjoezhang stevenjoezhang merged commit 0bfb454 into next-theme:master Jun 27, 2026
11 checks passed
@welcome

welcome Bot commented Jun 27, 2026

Copy link
Copy Markdown

Congrats on merging your first pull request here! 🎉 How awesome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants