importmap-rails 2.2.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '079361e5c1e2b84206422fb3f2a5de6f6969c07a29e73d40843986d1549410ce'
-  data.tar.gz: 61e335f52eacd06ffb635e4400ac68701e58cb57a9edfd7d38cc53a1a173c7a9
+  metadata.gz: c286a2385b19e8a170d991478ce228cfb1c0e27eb02fbda6349a889798caa85f
+  data.tar.gz: a40cea607756433bf36ad49e291e342f324a303c80e0286e980ee27c6c9001f9
 SHA512:
-  metadata.gz: 1c92850ba94cc450f18b1554675737f94eff235e5b51d2922cbb1433a9cd6f3be065a839a72b93661feb7b1f346177b43fbf558a6b9f30445e232f7446e2071a
-  data.tar.gz: 0be5aa11b95db77526ef6d933eeca0197346ba69ce5ef6a5148fb871eb7f986c050399c177cce0ccd8178dcb05ccd69a6d673b8efabadc382fea79284df7105c
+  metadata.gz: 71fc6847c3860c86d611dad36554feab750059128eee5d72961da0cd6bc2ba6ec08dc96358bb7919f487243d7463ca304efbbbf68874d7b58c9b85580d652f75
+  data.tar.gz: 59b0d5ce601ef182abd5f1017f414eec8fea35d1e48e270b0edd10bcf0c59cd7c5e52c1af0dab4f98f0ea81972ce82004af3011d1f3399d152ce077fbbd7a7e1

data/README.md

@@ -138,73 +138,24 @@ Unpinning and removing "react"
 
 ## Subresource Integrity (SRI)
 
-For enhanced security, importmap-rails automatically includes [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) hashes by default when pinning packages. This ensures that JavaScript files loaded from CDNs haven't been tampered with.
-
-### Default behavior with integrity
-
-When you pin a package, integrity hashes are automatically included:
-
-```bash
-./bin/importmap pin lodash
-Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:lodash@4.17.21/lodash.js
-  Using integrity: sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF
-```
-
-This generates a pin in your `config/importmap.rb` with the integrity hash:
-
-```ruby
-pin "lodash", integrity: "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF" # @4.17.21
-```
-
-### Opting out of integrity
-
-If you need to disable integrity checking (not recommended for security reasons), you can use the `--no-integrity` flag:
-
-```bash
-./bin/importmap pin lodash --no-integrity
-Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:lodash@4.17.21/lodash.js
-```
-
-This generates a pin without integrity:
-
-```ruby
-pin "lodash" # @4.17.21
-```
-
-### Adding integrity to existing pins
-
-If you have existing pins without integrity hashes, you can add them using the `integrity` command:
-
-```bash
-# Add integrity to specific packages
-./bin/importmap integrity lodash react
-
-# Add integrity to all pinned packages
-./bin/importmap integrity
-
-# Update your importmap.rb file with integrity hashes
-./bin/importmap integrity --update
-```
+For enhanced security, importmap-rails supports [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) hashes for packages loaded from external CDNs.
 
 ### Automatic integrity for local assets
 
-For local assets served by the Rails asset pipeline (like those created with `pin` or `pin_all_from`), you can use `integrity: true` to automatically calculate integrity hashes from the compiled assets:
+Starting with importmap-rails, **`integrity: true` is the default** for all pins. This automatically calculates integrity hashes for local assets served by the Rails asset pipeline:
 
 ```ruby
 # config/importmap.rb
 
-# Automatically calculate integrity from asset pipeline
-pin "application", integrity: true
-pin "admin", to: "admin.js", integrity: true
-
-# Works with pin_all_from too
-pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
-pin_all_from "app/javascript/lib", under: "lib", integrity: true
+# These all use integrity: true by default
+pin "application"                                               # Auto-calculated integrity
+pin "admin", to: "admin.js"                                     # Auto-calculated integrity
+pin_all_from "app/javascript/controllers", under: "controllers" # Auto-calculated integrity
 
-# Mixed usage
-pin "local_module", integrity: true              # Auto-calculated
-pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated
-pin "no_integrity_package"                       # No integrity (default)
+# Mixed usage - explicitly controlling integrity
+pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated hash
+pin "no_integrity_package", integrity: false     # Explicitly disable integrity
+pin "nil_integrity_package", integrity: nil      # Explicitly disable integrity
 ```
 
 This is particularly useful for:
@@ -212,11 +163,16 @@ This is particularly useful for:
 * **Bulk operations** with `pin_all_from` where calculating hashes manually would be tedious
 * **Development workflow** where asset contents change frequently
 
-The `integrity: true` option:
-* Uses the Rails asset pipeline's built-in integrity calculation
-* Works with both Sprockets and Propshaft
-* Automatically updates when assets are recompiled
-* Gracefully handles missing assets (returns `nil` for non-existent files)
+This behavior can be disabled by setting `integrity: false` or `integrity: nil`
+
+**Important for Propshaft users:** SRI support requires Propshaft 1.2+ and you must configure the integrity hash algorithm in your application:
+
+```ruby
+# config/application.rb or config/environments/*.rb
+config.assets.integrity_hash_algorithm = 'sha256'  # or 'sha384', 'sha512'
+```
+
+Without this configuration, integrity will be disabled by default when using Propshaft. Sprockets includes integrity support out of the box.
 
 **Example output with `integrity: true`:**
 ```json
@@ -240,10 +196,14 @@ The integrity hashes are automatically included in your import map and module pr
 ```json
 {
   "imports": {
-    "lodash": "https://ga.jspm.io/npm:lodash@4.17.21/lodash.js"
+    "lodash": "https://ga.jspm.io/npm:lodash@4.17.21/lodash.js",
+    "application": "/assets/application-abc123.js",
+    "controllers/hello_controller": "/assets/controllers/hello_controller-def456.js"
   },
   "integrity": {
     "https://ga.jspm.io/npm:lodash@4.17.21/lodash.js": "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF"
+    "/assets/application-abc123.js": "sha256-xyz789...",
+    "/assets/controllers/hello_controller-def456.js": "sha256-uvw012..."
   }
 }
 ```
@@ -251,22 +211,12 @@ The integrity hashes are automatically included in your import map and module pr
 **Module preload tags:**
 ```html
 <link rel="modulepreload" href="https://ga.jspm.io/npm:lodash@4.17.21/lodash.js" integrity="sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF">
+<link rel="modulepreload" href="/assets/application-abc123.js" integrity="sha256-xyz789...">
+<link rel="modulepreload" href="/assets/controllers/hello_controller-def456.js" integrity="sha256-uvw012...">
 ```
 
 Modern browsers will automatically validate these integrity hashes when loading the JavaScript modules, ensuring the files haven't been modified.
 
-### Redownloading packages with integrity
-
-The `pristine` command also includes integrity by default:
-
-```bash
-# Redownload all packages with integrity (default)
-./bin/importmap pristine
-
-# Redownload packages without integrity
-./bin/importmap pristine --no-integrity
-```
-
 ## Preloading pinned modules
 
 To avoid the waterfall effect where the browser has to load one file after another before it can get to the deepest nested import, importmap-rails uses [modulepreload links](https://developers.google.com/web/updates/2017/12/modulepreload) by default. If you don't want to preload a dependency, because you want to load it on-demand for efficiency, append `preload: false` to the pin.

data/lib/importmap/commands.rb

@@ -13,19 +13,15 @@ class Importmap::Commands < Thor
   option :env, type: :string, aliases: :e, default: "production"
   option :from, type: :string, aliases: :f, default: "jspm"
   option :preload, type: :string, repeatable: true, desc: "Can be used multiple times"
-  option :integrity, type: :boolean, aliases: :i, default: true, desc: "Include integrity hash from JSPM"
   def pin(*packages)
-    with_import_response(packages, env: options[:env], from: options[:from], integrity: options[:integrity]) do |imports, integrity_hashes|
-      process_imports(imports, integrity_hashes) do |package, url, integrity_hash|
-        puts %(Pinning "#{package}" to #{packager.vendor_path}/#{package}.js via download from #{url})
+    for_each_import(packages, env: options[:env], from: options[:from]) do |package, url|
+      puts %(Pinning "#{package}" to #{packager.vendor_path}/#{package}.js via download from #{url})
 
-        packager.download(package, url)
+      packager.download(package, url)
 
-        pin = packager.vendored_pin_for(package, url, options[:preload], integrity: integrity_hash)
+      pin = packager.vendored_pin_for(package, url, options[:preload])
 
-        log_integrity_usage(integrity_hash)
-        update_importmap_with_pin(package, pin)
-      end
+      update_importmap_with_pin(package, pin)
     end
   end
 
@@ -33,12 +29,10 @@ class Importmap::Commands < Thor
   option :env, type: :string, aliases: :e, default: "production"
   option :from, type: :string, aliases: :f, default: "jspm"
   def unpin(*packages)
-    with_import_response(packages, env: options[:env], from: options[:from]) do |imports, _integrity_hashes|
-      imports.each do |package, url|
-        if packager.packaged?(package)
-          puts %(Unpinning and removing "#{package}")
-          packager.remove(package)
-        end
+    for_each_import(packages, env: options[:env], from: options[:from]) do |package, url|
+      if packager.packaged?(package)
+        puts %(Unpinning and removing "#{package}")
+        packager.remove(package)
       end
     end
   end
@@ -46,18 +40,13 @@ class Importmap::Commands < Thor
   desc "pristine", "Redownload all pinned packages"
   option :env, type: :string, aliases: :e, default: "production"
   option :from, type: :string, aliases: :f, default: "jspm"
-  option :integrity, type: :boolean, aliases: :i, default: true, desc: "Include integrity hash from JSPM"
   def pristine
     packages = prepare_packages_with_versions
 
-    with_import_response(packages, env: options[:env], from: options[:from], integrity: options[:integrity]) do |imports, integrity_hashes|
-      process_imports(imports, integrity_hashes) do |package, url, integrity_hash|
-        puts %(Downloading "#{package}" to #{packager.vendor_path}/#{package}.js from #{url})
+    for_each_import(packages, env: options[:env], from: options[:from]) do |package, url|
+      puts %(Downloading "#{package}" to #{packager.vendor_path}/#{package}.js from #{url})
 
-        packager.download(package, url)
-
-        log_integrity_usage(integrity_hash)
-      end
+      packager.download(package, url)
     end
   end
 
@@ -118,33 +107,6 @@ class Importmap::Commands < Thor
     puts npm.packages_with_versions.map { |x| x.join(' ') }
   end
 
-  desc "integrity [*PACKAGES]", "Download and add integrity hashes for packages"
-  option :env, type: :string, aliases: :e, default: "production"
-  option :from, type: :string, aliases: :f, default: "jspm"
-  option :update, type: :boolean, aliases: :u, default: false, desc: "Update importmap.rb with integrity hashes"
-  def integrity(*packages)
-    packages = prepare_packages_with_versions(packages)
-
-    with_import_response(packages, env: options[:env], from: options[:from], integrity: true) do |imports, integrity_hashes|
-      process_imports(imports, integrity_hashes) do |package, url, integrity_hash|
-        puts %(Getting integrity for "#{package}" from #{url})
-
-        if integrity_hash
-          puts %(  #{package}: #{integrity_hash})
-
-          if options[:update]
-            pin_with_integrity = packager.pin_for(package, url, integrity: integrity_hash)
-
-            update_importmap_with_pin(package, pin_with_integrity)
-            puts %(  Updated importmap.rb with integrity for "#{package}")
-          end
-        else
-          puts %(  No integrity hash available for "#{package}")
-        end
-      end
-    end
-  end
-
   private
     def packager
       @packager ||= Importmap::Packager.new
@@ -162,10 +124,6 @@ class Importmap::Commands < Thor
       end
     end
 
-    def log_integrity_usage(integrity_hash)
-      puts %(  Using integrity: #{integrity_hash}) if integrity_hash
-    end
-
     def handle_package_not_found(packages, from)
       puts "Couldn't find any packages in #{packages.inspect} on #{from}"
     end
@@ -205,18 +163,11 @@ class Importmap::Commands < Thor
       end
     end
 
-    def process_imports(imports, integrity_hashes, &block)
-      imports.each do |package, url|
-        integrity_hash = integrity_hashes[url]
-        block.call(package, url, integrity_hash)
-      end
-    end
-
-    def with_import_response(packages, **options)
+    def for_each_import(packages, **options, &block)
       response = packager.import(*packages, **options)
 
       if response
-        yield response[:imports], response[:integrity]
+        response[:imports].each(&block)
       else
         handle_package_not_found(packages, options[:from])
       end

data/lib/importmap/map.rb

@@ -25,12 +25,12 @@ class Importmap::Map
     self
   end
 
-  def pin(name, to: nil, preload: true, integrity: nil)
+  def pin(name, to: nil, preload: true, integrity: true)
     clear_cache
     @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload, integrity: integrity)
   end
 
-  def pin_all_from(dir, under: nil, to: nil, preload: true, integrity: nil)
+  def pin_all_from(dir, under: nil, to: nil, preload: true, integrity: true)
     clear_cache
     @directories[dir] = MappedDir.new(dir: dir, under: under, path: to, preload: preload, integrity: integrity)
   end

data/lib/importmap/packager.rb

@@ -17,13 +17,12 @@ class Importmap::Packager
     @vendor_path    = Pathname.new(vendor_path)
   end
 
-  def import(*packages, env: "production", from: "jspm", integrity: false)
+  def import(*packages, env: "production", from: "jspm")
     response = post_json({
       "install"      => Array(packages),
       "flattenScope" => true,
       "env"          => [ "browser", "module", env ],
       "provider"     => normalize_provider(from),
-      "integrity"    => integrity
     })
 
     case response.code
@@ -36,20 +35,19 @@ class Importmap::Packager
     end
   end
 
-  def pin_for(package, url = nil, preloads: nil, integrity: nil)
+  def pin_for(package, url = nil, preloads: nil)
     to = url ? %(, to: "#{url}") : ""
     preload_param = preload(preloads)
-    integrity_param = integrity ? %(, integrity: "#{integrity}") : ""
 
-     %(pin "#{package}") + to + preload_param + integrity_param
+     %(pin "#{package}") + to + preload_param
   end
 
-  def vendored_pin_for(package, url, preloads = nil, integrity: nil)
+  def vendored_pin_for(package, url, preloads = nil)
     filename = package_filename(package)
     version  = extract_package_version_from(url)
     to = "#{package}.js" != filename ? filename : nil
 
-    pin_for(package, to, preloads: preloads, integrity: integrity) + %( # #{version})
+    pin_for(package, to, preloads: preloads) + %( # #{version})
   end
 
   def packaged?(package)
@@ -96,11 +94,9 @@ class Importmap::Packager
     def extract_parsed_response(response)
       parsed = JSON.parse(response.body)
       imports = parsed.dig("map", "imports")
-      integrity = parsed.dig("map", "integrity") || {}
 
       {
         imports: imports,
-        integrity: integrity
       }
     end
 

data/lib/importmap/version.rb

@@ -1,3 +1,3 @@
 module Importmap
-  VERSION = "2.2.0"
+  VERSION = "2.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: importmap-rails
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.1
 platform: ruby
 authors:
 - David Heinemeier Hansson