importmap-rails 2.2.1 → 2.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c286a2385b19e8a170d991478ce228cfb1c0e27eb02fbda6349a889798caa85f
-  data.tar.gz: a40cea607756433bf36ad49e291e342f324a303c80e0286e980ee27c6c9001f9
+  metadata.gz: 91837e96107f59efa73a314dec3955a488f9f40826c27e116da43c5d9ef0a44a
+  data.tar.gz: ce9d44539cd6bb86b1e027c9c714dc8274b4a7b918ee0a67493b79b9eb58103f
 SHA512:
-  metadata.gz: 71fc6847c3860c86d611dad36554feab750059128eee5d72961da0cd6bc2ba6ec08dc96358bb7919f487243d7463ca304efbbbf68874d7b58c9b85580d652f75
-  data.tar.gz: 59b0d5ce601ef182abd5f1017f414eec8fea35d1e48e270b0edd10bcf0c59cd7c5e52c1af0dab4f98f0ea81972ce82004af3011d1f3399d152ce077fbbd7a7e1
+  metadata.gz: 95a4d846c8a808b8037e2425ad307e1cecd736051053e86f5c9739f9118375d81e0e967f64be3f6cee916d0ce7ca763fd7b236684f9b0889679b62f5718643a0
+  data.tar.gz: 5e20ed5b2d79945a603db1cf6e0e5d694a8a7ad7b96f5bb13e6e1083225034fcbf7ba2019acf397b004345bd4d54827895b9e4ffd5c831eb1fdfc2c051dcb063

data/README.md

@@ -81,12 +81,13 @@ If you want to import local js module files from `app/javascript/src` or other s
 pin_all_from 'app/javascript/src', under: 'src', to: 'src'
 
 # With automatic integrity calculation for enhanced security
+enable_integrity!
 pin_all_from 'app/javascript/controllers', under: 'controllers', integrity: true
 ```
 
 The `:to` parameter is only required if you want to change the destination logical import name. If you drop the :to option, you must place the :under option directly after the first parameter.
 
-The `integrity: true` option automatically calculates integrity hashes for all files in the directory, providing security benefits without manual hash management.
+The `enable_integrity!` call enables integrity calculation globally, and `integrity: true` automatically calculates integrity hashes for all files in the directory, providing security benefits without manual hash management.
 
 Allows you to:
 
@@ -142,12 +143,15 @@ For enhanced security, importmap-rails supports [Subresource Integrity (SRI)](ht
 
 ### Automatic integrity for local assets
 
-Starting with importmap-rails, **`integrity: true` is the default** for all pins. This automatically calculates integrity hashes for local assets served by the Rails asset pipeline:
+To enable automatic integrity calculation for local assets served by the Rails asset pipeline, you must first call `enable_integrity!` in your importmap configuration:
 
 ```ruby
 # config/importmap.rb
 
-# These all use integrity: true by default
+# Enable integrity calculation globally
+enable_integrity!
+
+# With integrity enabled, these will auto-calculate integrity hashes
 pin "application"                                               # Auto-calculated integrity
 pin "admin", to: "admin.js"                                     # Auto-calculated integrity
 pin_all_from "app/javascript/controllers", under: "controllers" # Auto-calculated integrity
@@ -163,7 +167,7 @@ This is particularly useful for:
 * **Bulk operations** with `pin_all_from` where calculating hashes manually would be tedious
 * **Development workflow** where asset contents change frequently
 
-This behavior can be disabled by setting `integrity: false` or `integrity: nil`
+**Note:** Integrity calculation is opt-in and must be enabled with `enable_integrity!`. This behavior can be further controlled by setting `integrity: false` or `integrity: nil` on individual pins.
 
 **Important for Propshaft users:** SRI support requires Propshaft 1.2+ and you must configure the integrity hash algorithm in your application:
 
@@ -174,7 +178,7 @@ config.assets.integrity_hash_algorithm = 'sha256'  # or 'sha384', 'sha512'
 
 Without this configuration, integrity will be disabled by default when using Propshaft. Sprockets includes integrity support out of the box.
 
-**Example output with `integrity: true`:**
+**Example output with `enable_integrity!` and `integrity: true`:**
 ```json
 {
   "imports": {

data/lib/importmap/commands.rb

@@ -15,13 +15,7 @@ class Importmap::Commands < Thor
   option :preload, type: :string, repeatable: true, desc: "Can be used multiple times"
   def pin(*packages)
     for_each_import(packages, env: options[:env], from: options[:from]) do |package, url|
-      puts %(Pinning "#{package}" to #{packager.vendor_path}/#{package}.js via download from #{url})
-
-      packager.download(package, url)
-
-      pin = packager.vendored_pin_for(package, url, options[:preload])
-
-      update_importmap_with_pin(package, pin)
+      pin_package(package, url, options[:preload])
     end
   end
 
@@ -96,7 +90,14 @@ class Importmap::Commands < Thor
   desc "update", "Update outdated package pins"
   def update
     if (outdated_packages = npm.outdated_packages).any?
-      pin(*outdated_packages.map(&:name))
+      package_names = outdated_packages.map(&:name)
+      packages_with_options = packager.extract_existing_pin_options(package_names)
+
+      for_each_import(package_names, env: "production", from: "jspm") do |package, url|
+        options = packages_with_options[package] || {}
+
+        pin_package(package, url, options[:preload])
+      end
     else
       puts "No outdated packages found"
     end
@@ -116,11 +117,23 @@ class Importmap::Commands < Thor
       @npm ||= Importmap::Npm.new
     end
 
+    def pin_package(package, url, preload)
+      puts %(Pinning "#{package}" to #{packager.vendor_path}/#{package}.js via download from #{url})
+
+      packager.download(package, url)
+
+      pin = packager.vendored_pin_for(package, url, preload)
+
+      update_importmap_with_pin(package, pin)
+    end
+
     def update_importmap_with_pin(package, pin)
+      new_pin = "#{pin}\n"
+
       if packager.packaged?(package)
-        gsub_file("config/importmap.rb", /^pin "#{package}".*$/, pin, verbose: false)
+        gsub_file("config/importmap.rb", Importmap::Map.pin_line_regexp_for(package), pin, verbose: false)
       else
-        append_to_file("config/importmap.rb", "#{pin}\n", verbose: false)
+        append_to_file("config/importmap.rb", new_pin, verbose: false)
       end
     end
 

data/lib/importmap/map.rb

@@ -3,9 +3,16 @@ require "pathname"
 class Importmap::Map
   attr_reader :packages, :directories
 
+  PIN_REGEX = /^pin\s+["']([^"']+)["']/.freeze # :nodoc:
+
+  def self.pin_line_regexp_for(package) # :nodoc:
+    /^.*pin\s+["']#{Regexp.escape(package)}["'].*$/.freeze
+  end
+
   class InvalidFile < StandardError; end
 
   def initialize
+    @integrity = false
     @packages, @directories = {}, {}
     @cache = {}
   end
@@ -25,6 +32,43 @@ class Importmap::Map
     self
   end
 
+  # Enables automatic integrity hash calculation for all pinned modules.
+  #
+  # When enabled, integrity values are included in the importmap JSON for all
+  # pinned modules. For local assets served by the Rails asset pipeline,
+  # integrity hashes are automatically calculated when +integrity: true+ is
+  # specified. For modules with explicit integrity values, those values are
+  # included as provided. This provides Subresource Integrity (SRI) protection
+  # to ensure JavaScript modules haven't been tampered with.
+  #
+  # Clears the importmap cache when called to ensure fresh integrity hashes
+  # are generated.
+  #
+  # ==== Examples
+  #
+  #   # config/importmap.rb
+  #   enable_integrity!
+  #
+  #   # These will now auto-calculate integrity hashes
+  #   pin "application"                   # integrity: true by default
+  #   pin "admin", to: "admin.js"         # integrity: true by default
+  #   pin_all_from "app/javascript/lib"   # integrity: true by default
+  #
+  #   # Manual control still works
+  #   pin "no_integrity", integrity: false
+  #   pin "custom_hash", integrity: "sha384-abc123..."
+  #
+  # ==== Notes
+  #
+  # * Integrity calculation is disabled by default and must be explicitly enabled
+  # * Requires asset pipeline support for integrity calculation (Sprockets or Propshaft 1.2+)
+  # * For Propshaft, you must configure +config.assets.integrity_hash_algorithm+
+  # * External CDN packages should provide their own integrity hashes
+  def enable_integrity!
+    clear_cache
+    @integrity = true
+  end
+
   def pin(name, to: nil, preload: true, integrity: true)
     clear_cache
     @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload, integrity: integrity)
@@ -210,6 +254,8 @@ class Importmap::Map
     end
 
     def resolve_integrity_value(integrity, path, resolver:)
+      return unless @integrity
+
       case integrity
       when true
         resolver.asset_integrity(path) if resolver.respond_to?(:asset_integrity)

data/lib/importmap/npm.rb

@@ -3,7 +3,7 @@ require "uri"
 require "json"
 
 class Importmap::Npm
-  PIN_REGEX = /^pin ["']([^["']]*)["'].*/
+  PIN_REGEX = /#{Importmap::Map::PIN_REGEX}.*/.freeze # :nodoc:
 
   Error     = Class.new(StandardError)
   HTTPError = Class.new(Error)
@@ -17,7 +17,7 @@ class Importmap::Npm
   end
 
   def outdated_packages
-    packages_with_versions.each.with_object([]) do |(package, current_version), outdated_packages|
+    packages_with_versions.each_with_object([]) do |(package, current_version), outdated_packages|
       outdated_package = OutdatedPackage.new(name: package, current_version: current_version)
 
       if !(response = get_package(package))
@@ -51,7 +51,7 @@ class Importmap::Npm
   def packages_with_versions
     # We cannot use the name after "pin" because some dependencies are loaded from inside packages
     # Eg. pin "buffer", to: "https://ga.jspm.io/npm:@jspm/core@2.0.0-beta.19/nodelibs/browser/buffer.js"
-    with_versions = importmap.scan(/^pin .*(?<=npm:|npm\/|skypack\.dev\/|unpkg\.com\/)(.*)(?=@\d+\.\d+\.\d+)@(\d+\.\d+\.\d+(?:[^\/\s["']]*)).*$/) |
+    with_versions = importmap.scan(/^pin .*(?<=npm:|npm\/|skypack\.dev\/|unpkg\.com\/)([^@\/]+)@(\d+\.\d+\.\d+(?:[^\/\s"']*))/) |
       importmap.scan(/#{PIN_REGEX} #.*@(\d+\.\d+\.\d+(?:[^\s]*)).*$/)
 
     vendored_packages_without_version(with_versions).each do |package, path|
@@ -147,7 +147,7 @@ class Importmap::Npm
     end
 
     def find_unversioned_vendored_package(line, versioned_packages)
-      regexp = line.include?("to:")? /#{PIN_REGEX}to: ["']([^["']]*)["'].*/ : PIN_REGEX
+      regexp = line.include?("to:")? /#{PIN_REGEX}to: ["']([^"']*)["'].*/ : PIN_REGEX
       match = line.match(regexp)
 
       return unless match

data/lib/importmap/packager.rb

@@ -3,6 +3,9 @@ require "uri"
 require "json"
 
 class Importmap::Packager
+  PIN_REGEX = /#{Importmap::Map::PIN_REGEX}(.*)/.freeze # :nodoc:
+  PRELOAD_OPTION_REGEXP = /preload:\s*(\[[^\]]+\]|true|false|["'][^"']*["'])/.freeze # :nodoc:
+
   Error        = Class.new(StandardError)
   HTTPError    = Class.new(Error)
   ServiceError = Error.new(Error)
@@ -51,7 +54,7 @@ class Importmap::Packager
   end
 
   def packaged?(package)
-    importmap.match(/^pin ["']#{package}["'].*$/)
+    importmap.match(Importmap::Map.pin_line_regexp_for(package))
   end
 
   def download(package, url)
@@ -65,14 +68,57 @@ class Importmap::Packager
     remove_package_from_importmap(package)
   end
 
+  def extract_existing_pin_options(packages)
+    return {} unless @importmap_path.exist?
+
+    packages = Array(packages)
+
+    all_package_options = build_package_options_lookup(importmap.lines)
+
+    packages.to_h do |package|
+      [package, all_package_options[package] || {}]
+    end
+  end
+
   private
+    def build_package_options_lookup(lines)
+      lines.each_with_object({}) do |line, package_options|
+        match = line.strip.match(PIN_REGEX)
+
+        if match
+          package_name = match[1]
+          options_part = match[2]
+
+          preload_match = options_part.match(PRELOAD_OPTION_REGEXP)
+
+          if preload_match
+            preload = preload_from_string(preload_match[1])
+            package_options[package_name] = { preload: preload }
+          end
+        end
+      end
+    end
+
+    def preload_from_string(value)
+      case value
+      when "true"
+        true
+      when "false"
+        false
+      when /^\[.*\]$/
+        JSON.parse(value)
+      else
+        value.gsub(/["']/, "")
+      end
+    end
+
     def preload(preloads)
       case Array(preloads)
       in []
         ""
-      in ["true"]
+      in ["true"] | [true]
         %(, preload: true)
-      in ["false"]
+      in ["false"] | [false]
         %(, preload: false)
       in [string]
         %(, preload: "#{string}")
@@ -129,7 +175,7 @@ class Importmap::Packager
 
     def remove_package_from_importmap(package)
       all_lines = File.readlines(@importmap_path)
-      with_lines_removed = all_lines.grep_v(/pin ["']#{package}["']/)
+      with_lines_removed = all_lines.grep_v(Importmap::Map.pin_line_regexp_for(package))
 
       File.open(@importmap_path, "w") do |file|
         with_lines_removed.each { |line| file.write(line) }

data/lib/importmap/version.rb

@@ -1,3 +1,3 @@
 module Importmap
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: importmap-rails
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
 platform: ruby
 authors:
 - David Heinemeier Hansson