bun_bun_bundle 0.12.1 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c600790c95f2bacc7697a8d50cc9e74512a272709a8331efa6d6467656f6946
-  data.tar.gz: 434ce76cca79dc85965958b693a03e4f71761ec1c477c36430edff6e5346f188
+  metadata.gz: 39edf3123436dc20c093f42cf59baa94d7cfa12b80cb1024af6fac74d872a2e9
+  data.tar.gz: 170ca35cd0f7fa6e81ac9e156ea0e2a2830edef61b54393e2c1eb8b8dd6d36c4
 SHA512:
-  metadata.gz: 879819d9d12864a9091fdbcf8c86a88aa09582c3d2b9388ea0e2b1040ba8fc1922b833e272e669fced5cc7c1720cbd38b88a7c663796a7d1fe20e2bb3143afe0
-  data.tar.gz: c70195c48956b37ce6c8af700f05015f065b90089aa21501ee0365f8a40d7677a9a97b0195605e1b86bc681528824ed79ddeaaaa9eff1f10fc91dbeab2b074b1
+  metadata.gz: 2f25361191c1840f4642af90d0cac4e6836a069d6d7850fa4ebff0721b22c5044742776d8b6719efee4c604d09e6c39406f4a0cfeaf8733402680e42bea71b98
+  data.tar.gz: 852f04b4ff3ba7cd7110bb083e8effb1d9d0f7e38584e7686afa64ac42158dec178517bce103711f385e07166bebda6b3e71fa22fba368083f9251e84b313fa5

data/README.md

@@ -183,6 +183,9 @@ bun_bun_bundle build --fingerprint
 # Strip sourcemaps from a prod build
 bun_bun_bundle build --prod --sourcemap=none
 
+# Production build with Subresource Integrity digests
+bun_bun_bundle build --prod --sri=sha384
+
 # Development with verbose WebSocket logging
 bun_bun_bundle dev --debug
 ```
@@ -196,8 +199,16 @@ bun_bun_bundle dev --debug
   to `inline` in `dev` and `linked` for builds, so production stack traces
   and browser devtools stay debuggable. Pass `--sourcemap=none` when you
   explicitly do not want maps shipped.
+- `--sri[=ALGOS]`: compute [Subresource Integrity][sri] digests for each
+  asset. Pass a comma-separated list of `sha256`, `sha384`, or `sha512`
+  (bare `--sri` defaults to `sha384`). When digests are present, the
+  `bun_js_tag` and `bun_css_tag` helpers automatically render
+  `integrity="..." crossorigin="anonymous"` so browsers verify the response
+  before executing it
 - `--debug`: verbose WebSocket logging
 
+[sri]: https://developer.mozilla.org/docs/Web/Security/Subresource_Integrity
+
 > [!NOTE]
 > When running from a Procfile (e.g. with Overmind or Foreman), use
 > `bundle exec bun_bun_bundle` to ensure the correct gem version is loaded.
@@ -233,6 +244,10 @@ Place a `config/bun.json` in your project root:
 > Creating a `bun.json` file is entirely optional. All values shown above are
 > defaults, you only need to specify what you want to override.
 
+`watchDirs` entries may be glob patterns. For example, in a Hanami app with
+multiple slices, `"slices/*/assets"` will watch every slice's assets directory
+without having to list them explicitly.
+
 If you're developing inside a Docker container, set `listenHost` so the
 WebSocket server accepts connections from the host machine:
 

data/exe/bun_bun_bundle

@@ -27,6 +27,9 @@ else
       --minify            Minify JS and CSS output
       --sourcemap[=KIND]  Sourcemap kind: inline, linked, external, none
                           (dev defaults to inline, builds default to linked)
+      --sri[=ALGOS]       Compute Subresource Integrity digests for each
+                          asset (comma-separated: sha256, sha384, sha512;
+                          defaults to sha384)
       --debug             Enable verbose WebSocket logging
 
     Examples:
@@ -34,6 +37,7 @@ else
       bun_bun_bundle build                          # plain build
       bun_bun_bundle build --prod                   # fingerprint + minify
       bun_bun_bundle build --fingerprint            # fingerprint only
+      bun_bun_bundle build --prod --sri=sha384      # add integrity digests
       bun_bun_bundle build --prod --sourcemap=none  # strip sourcemaps
 
     Configuration:

data/lib/bun/bun_bundle.js

@@ -1,4 +1,4 @@
-import {mkdirSync, readFileSync, existsSync, rmSync, watch} from 'fs'
+import {mkdirSync, readFileSync, existsSync, rmSync, statSync, watch} from 'fs'
 import {join, dirname, basename, extname} from 'path'
 import {Glob} from 'bun'
 import {resolvePlugins} from './plugins/index.js'
@@ -24,16 +24,17 @@ export default {
   fingerprint: false,
   minify: false,
   sourcemap: null,
+  sri: [],
   wsClients: new Set(),
   watchTimers: new Map(),
+  watchers: [],
   plugins: [],
 
+  SRI_ALGORITHMS: ['sha256', 'sha384', 'sha512'],
+
   flags(input) {
-    const {debug, dev, prod, fingerprint, minify, sourcemap} = Array.isArray(
-      input
-    )
-      ? this.parseArgv(input)
-      : input
+    const {debug, dev, prod, fingerprint, minify, sourcemap, sri} =
+      Array.isArray(input) ? this.parseArgv(input) : input
     if (debug != null) this.debug = debug
     if (dev != null) this.dev = dev
     if (prod != null) this.prod = prod
@@ -42,31 +43,74 @@ export default {
     if (minify != null) this.minify = minify
     else if (prod === true) this.minify = true
     if (sourcemap != null) this.sourcemap = sourcemap
+    if (sri != null) this.sri = sri
   },
 
   SOURCEMAP_KINDS: ['inline', 'linked', 'external', 'none'],
+  BOOLEAN_FLAGS: ['debug', 'dev', 'prod', 'fingerprint', 'minify'],
 
   parseArgv(argv) {
+    return {
+      ...this.parseBooleanFlags(argv),
+      ...this.parseSourcemapFlag(argv),
+      ...this.parseSriFlag(argv)
+    }
+  },
+
+  parseBooleanFlags(argv) {
     const opts = {}
-    if (argv.includes('--debug')) opts.debug = true
-    if (argv.includes('--dev')) opts.dev = true
-    if (argv.includes('--prod')) opts.prod = true
-    if (argv.includes('--fingerprint')) opts.fingerprint = true
-    if (argv.includes('--minify')) opts.minify = true
-    const sm = argv.find(
-      a => a === '--sourcemap' || a.startsWith('--sourcemap=')
-    )
-    if (sm) {
-      const value = sm.includes('=') ? sm.split('=')[1] : 'linked'
-      if (this.SOURCEMAP_KINDS.includes(value)) opts.sourcemap = value
-      else
-        console.warn(
-          ` ▸ Ignoring --sourcemap=${value} (valid: ${this.SOURCEMAP_KINDS.join(', ')})`
-        )
+    for (const name of this.BOOLEAN_FLAGS) {
+      if (argv.includes(`--${name}`)) opts[name] = true
     }
     return opts
   },
 
+  findValueFlag(argv, name, defaultValue) {
+    const flag = argv.find(a => a === `--${name}` || a.startsWith(`--${name}=`))
+    if (!flag) return null
+    return flag.includes('=') ? flag.split('=')[1] : defaultValue
+  },
+
+  parseSourcemapFlag(argv) {
+    const value = this.findValueFlag(argv, 'sourcemap', 'linked')
+    if (value === null) return {}
+    if (this.SOURCEMAP_KINDS.includes(value)) return {sourcemap: value}
+    console.warn(
+      ` ▸ Ignoring --sourcemap=${value} (valid: ${this.SOURCEMAP_KINDS.join(', ')})`
+    )
+    return {}
+  },
+
+  parseSriFlag(argv) {
+    const value = this.findValueFlag(argv, 'sri', 'sha384')
+    if (value === null) return {}
+    const algos = value.split(',').map(a => a.trim()).filter(Boolean)
+    const valid = algos.filter(a => this.SRI_ALGORITHMS.includes(a))
+    const invalid = algos.filter(a => !this.SRI_ALGORITHMS.includes(a))
+    if (invalid.length) {
+      console.warn(
+        ` ▸ Ignoring --sri=${invalid.join(',')} (valid: ${this.SRI_ALGORITHMS.join(', ')})`
+      )
+    }
+    return valid.length ? {sri: valid} : {}
+  },
+
+  computeSri(content) {
+    if (!this.sri.length) return null
+    return this.sri.map(algo => {
+      const hasher = new Bun.CryptoHasher(algo)
+      hasher.update(content)
+      return `${algo}-${hasher.digest('base64')}`
+    })
+  },
+
+  manifestEntry(url, content) {
+    const entry = {url}
+    const sri = this.computeSri(content)
+    if (sri) entry.sri = sri
+    return entry
+  },
+
   deepMerge(target, source) {
     const result = {...target}
     for (const k of Object.keys(source))
@@ -186,7 +230,10 @@ export default {
       }
 
       await Bun.write(join(outDir, fileName), content)
-      this.manifest[`${type}/${entryName}${ext}`] = `${type}/${fileName}`
+      this.manifest[`${type}/${entryName}${ext}`] = this.manifestEntry(
+        `${type}/${fileName}`,
+        content
+      )
     }
   },
 
@@ -215,20 +262,20 @@ export default {
       for await (const file of glob.scan({cwd: fullDir, onlyFiles: true})) {
         const srcPath = join(fullDir, file)
         const content = await Bun.file(srcPath).arrayBuffer()
+        const bytes = new Uint8Array(content)
 
         const ext = extname(file)
         const name = file.slice(0, -ext.length) || file
-        const fileName = this.fingerprintName(
-          name,
-          ext,
-          new Uint8Array(content)
-        )
+        const fileName = this.fingerprintName(name, ext, bytes)
         const destPath = join(destDir, fileName)
 
         mkdirSync(dirname(destPath), {recursive: true})
         await Bun.write(destPath, content)
 
-        this.manifest[`${assetType}/${file}`] = `${assetType}/${fileName}`
+        this.manifest[`${assetType}/${file}`] = this.manifestEntry(
+          `${assetType}/${fileName}`,
+          bytes
+        )
       }
     }
   },
@@ -260,7 +307,10 @@ export default {
 
   prettyManifest() {
     const lines = Object.entries(this.manifest)
-      .map(([key, value]) => `  ${key} → ${value}`)
+      .map(([key, value]) => {
+        const url = value && typeof value === 'object' ? value.url : value
+        return `  ${key} → ${url}`
+      })
       .join('\n')
     return `\n${lines}\n\n`
   },
@@ -332,18 +382,38 @@ export default {
       })()
     }
 
-    for (const dir of this.config.watchDirs) {
-      const fullDir = join(this.root, dir)
-      if (!existsSync(fullDir)) {
-        console.warn(` ▸ Watch directory ${dir} does not exist, skipping...`)
-        continue
+    for (const pattern of this.config.watchDirs) {
+      const dirs = pattern.includes('*')
+        ? await Array.fromAsync(new Glob(pattern).scan({cwd: this.root, onlyFiles: false}))
+        : [pattern]
+      for (const dir of dirs) {
+        const fullDir = join(this.root, dir)
+        if (!existsSync(fullDir) || !statSync(fullDir).isDirectory()) {
+          console.warn(` ▸ Watch directory ${dir} does not exist, skipping...`)
+          continue
+        }
+        this.watchers.push(watch(fullDir, {recursive: true}, handler))
       }
-      watch(fullDir, {recursive: true}, handler)
     }
 
     console.log('Beginning to watch your project')
   },
 
+  shutdown() {
+    for (const w of this.watchers) {
+      try {
+        w.close()
+      } catch {}
+    }
+    this.watchers = []
+    for (const client of this.wsClients) {
+      try {
+        client.close()
+      } catch {}
+    }
+    this.wsClients.clear()
+  },
+
   async serve() {
     await this.build()
     await this.watch()
@@ -353,7 +423,7 @@ export default {
     const debug = this.debug
     const wsClients = this.wsClients
 
-    Bun.serve({
+    const server = Bun.serve({
       hostname,
       port,
       fetch(req, server) {
@@ -376,6 +446,15 @@ export default {
 
     const protocol = secure ? 'wss' : 'ws'
     console.log(`\n\n    🔌 Live reload at ${protocol}://${host}:${port}\n\n`)
+
+    process.on('SIGINT', () => {
+      console.log('\n ▸ Shutting down...')
+      this.shutdown()
+      try {
+        server.stop(true)
+      } catch {}
+      process.exit(0)
+    })
   },
 
   async bake() {

data/lib/bun_bun_bundle/helpers.rb

@@ -15,6 +15,8 @@ module BunBunBundle
   module Helpers
     include SafeHtml
 
+    FINGERPRINTED_CSS_REGEX = /-[0-9a-f]{8}\.css$/
+
     # Returns the public path to an asset from the manifest.
     #
     # Prepends the configured public_path and asset_host:
@@ -23,8 +25,7 @@ module BunBunBundle
     #   bun_asset("images/logo.png") # => "/assets/images/logo-abc123.png" (production)
     #
     def bun_asset(path)
-      fingerprinted = BunBunBundle.manifest[path]
-      "#{BunBunBundle.asset_host}#{BunBunBundle.config.public_path}/#{fingerprinted}"
+      bun_asset_url(bun_entry(path))
     end
 
     # Generates a <script> tag for a JS entry point.
@@ -33,8 +34,11 @@ module BunBunBundle
     #   # => '<script src="/assets/js/app.js" type="text/javascript"></script>'
     #
     def bun_js_tag(source, **options)
-      src = bun_asset(source)
-      attrs = { type: 'text/javascript' }.merge(options).merge(src: src)
+      entry = bun_entry(source)
+      attrs = { type: 'text/javascript' }
+              .merge(bun_sri_attrs(entry))
+              .merge(options)
+              .merge(src: bun_asset_url(entry))
       bun_safe(%(<script #{bun_html_attrs(attrs)}></script>))
     end
 
@@ -44,14 +48,19 @@ module BunBunBundle
     #   # => '<link href="/assets/css/app.css" type="text/css" rel="stylesheet">'
     #
     def bun_css_tag(source, **options)
+      entry = bun_entry(source)
       attrs = { type: 'text/css', rel: 'stylesheet' }
+              .merge(bun_sri_attrs(entry))
               .merge(options)
-              .merge(href: bun_href_with_timestamp(bun_asset(source)))
+              .merge(href: bun_href_with_timestamp(bun_asset_url(entry)))
       bun_safe(%(<link #{bun_html_attrs(attrs)}>))
     end
 
     # Generates an <img> tag for an image asset.
     #
+    # Subresource Integrity is intentionally not rendered on images: browsers
+    # do not enforce SRI for <img> elements.
+    #
     #   bun_img_tag("images/logo.png", alt: "Logo")
     #   # => '<img src="/assets/images/logo.png" alt="Logo">'
     #
@@ -64,6 +73,20 @@ module BunBunBundle
 
     private
 
+    def bun_entry(source)
+      BunBunBundle.manifest[source]
+    end
+
+    def bun_asset_url(entry)
+      "#{BunBunBundle.asset_host}#{BunBunBundle.config.public_path}/#{entry.url}"
+    end
+
+    def bun_sri_attrs(entry)
+      return {} if entry.sri.empty?
+
+      { integrity: entry.sri.join(' '), crossorigin: 'anonymous' }
+    end
+
     def bun_html_attrs(hash)
       bun_flatten_attrs(hash).compact.map do |k, v|
         k = k.to_s.tr('_', '-')
@@ -89,7 +112,7 @@ module BunBunBundle
     def bun_href_with_timestamp(href)
       config = BunBunBundle.config
       return href unless href.start_with?(config.public_path)
-      return href if href.match?(/-[0-9a-f]{8}\.css$/)
+      return href if href.match?(FINGERPRINTED_CSS_REGEX)
 
       file_path = href.sub(config.public_path, config.out_dir)
       mtime = File.exist?(file_path) ? File.mtime(file_path).to_i : Time.now.to_i

data/lib/bun_bun_bundle/manifest.rb

@@ -5,11 +5,30 @@ require 'json'
 module BunBunBundle
   class Manifest
     class MissingAssetError < StandardError; end
+    class MigrationError < StandardError; end
+    class InvalidEntryError < StandardError; end
+
+    Entry = Data.define(:url, :sri) do
+      def self.from(value)
+        value.is_a?(Hash) || raise(
+          MigrationError,
+          'Manifest predates bun_bun_bundle 0.13. Run: bun_bun_bundle build',
+        )
+
+        if (url = value['url']).nil? || url.empty?
+          raise InvalidEntryError, "Manifest entry is missing 'url'"
+        end
+
+        new(url: url, sri: Array(value['sri']).freeze)
+      end
+    end
 
     attr_reader :entries
 
     def initialize(entries = {})
-      @entries = entries.freeze
+      @entries = entries.transform_values do |value|
+        value.is_a?(Entry) ? value : Entry.from(value)
+      end.freeze
     end
 
     # Loads the manifest from a JSON file.

data/lib/bun_bun_bundle/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module BunBunBundle
-  VERSION = '0.12.1'
+  VERSION = '0.14.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bun_bun_bundle
 version: !ruby/object:Gem::Version
-  version: 0.12.1
+  version: 0.14.0
 platform: ruby
 authors:
 - Wout Fierens
@@ -73,7 +73,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.11
 specification_version: 4
 summary: A self-contained asset bundler powered by Bun
 test_files: []