@dintero/sri-to-dist 1.0.3

package/LICENSE

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright 2025 Dintero
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,64 @@
+# sri-to-dist
+
+[![Actions Status](https://github.com/Dintero/sri-to-dist/workflows/CI/badge.svg?branch=master)](https://github.com/Dintero/sri-to-dist/actions?query=branch%3Amaster+workflow%3ACI+) [![npm latest version](https://img.shields.io/npm/v/@dintero/sri-to-dist/latest.svg)](https://www.npmjs.com/package/@dintero/sri-to-dist)
+
+A tool to add subresource integrity (SRI) hashes to HTML files.
+
+## Installation
+
+```bash
+npm install -g @dintero/sri-to-dist
+# or
+npx @dintero/sri-to-dist
+```
+
+## Usage
+
+```bash
+sri-to-dist -i input.html -o output.html
+sri-to-dist --input input.html --output output.html --base-url https://example.com
+```
+
+### Options
+
+- `-i, --input <file>`: Input HTML file (required)
+- `-o, --output <file>`: Output HTML file (optional, defaults to stdout)
+- `-b, --base-url <url>`: Base URL for resolving relative paths (optional)
+- `-n, --no-remote <url>`: Optional flag, no remote sri files allowed
+- `-v, --verify <url>`: Optional flag, verify that all sri resources from input have correct sha384 hashes
+
+## License
+
+MIT
+
+## Security
+
+Contact us at [security@dintero.com](mailto:security@dintero.com)
+
+
+## Step 8: Build and test locally
+
+```bash
+npm install
+npm run build
+npm run test
+npm link  # This makes your package available globally for testing
+```
+
+Now you can run:
+
+```bash
+sri-to-dist -i test.html
+```
+
+## Step 9: Publish to npm
+
+```bash
+npm login
+npm publish
+```
+
+## Creating a new release
+
+1. Enforce all commits to the master branch to be formatted according to the [Angular Commit Message Format](https://github.com/angular/angular/blob/master/CONTRIBUTING.md#-commit-message-format)
+2. When merged to master, it will automatically be released with [semantic-release](https://github.com/semantic-release/semantic-release)

package/bin/sri-to-dist.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+
+// This shim loads the compiled JavaScript
+require("../dist/index.js");

package/dist/package.json

@@ -0,0 +1,57 @@
+{
+    "name": "@dintero/sri-to-dist",
+    "version": "1.0.3",
+    "description": "HTML tool for adding subresource integrity hashes",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "bin": {
+        "sri-to-dist": "bin/sri-to-dist.js"
+    },
+    "files": [
+        "dist",
+        "bin"
+    ],
+    "scripts": {
+        "build": "tsc",
+        "prepare": "npm run build",
+        "start": "node bin/sri-to-dist.js",
+        "test": "vitest run",
+        "test:watch": "vitest",
+        "lint": "biome lint .",
+        "format": "biome format . --write",
+        "prepublishOnly": "yarn run build"
+    },
+    "keywords": [
+        "subresource",
+        "integrity",
+        "sri",
+        "html",
+        "security"
+    ],
+    "homepage": "https://github.com/Dintero/sri-to-dist?tab=readme-ov-file#sri-to-dist",
+    "author": "Sven Nicolai Viig <sven@dintero.com> (http://dintero.com)",
+    "license": "MIT",
+    "devDependencies": {
+        "@biomejs/biome": "1.9.4",
+        "@types/node": "22.14.0",
+        "@types/temp": "0.9.4",
+        "semantic-release": "24.2.3",
+        "temp": "0.9.4",
+        "typescript": "5.8.2",
+        "vitest": "3.1.1"
+    },
+    "dependencies": {
+        "commander": "13.1.0"
+    },
+    "bugs": {
+        "url": "https://github.com/Dintero/sri-to-dist/issues"
+    },
+    "private": false,
+    "publishConfig": {
+        "access": "public"
+    },
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/Dintero/sri-to-dist.git"
+    }
+}

package/dist/src/index.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/index.js

@@ -0,0 +1,74 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const commander_1 = require("commander");
+const lib_1 = require("./lib");
+const package_json_1 = require("../package.json");
+const main = async () => {
+    try {
+        // Set up command-line parser
+        const program = new commander_1.Command();
+        program
+            .version(package_json_1.version)
+            .description("HTML processing tool to add subresource integrity hashes")
+            .requiredOption("-i, --input <file>", "Input HTML file")
+            .option("-o, --output <file>", "Optional output HTML file")
+            .option("-b, --base-url <url>", "Optional base URL")
+            .option("-n, --no-remote", "Optional flag, no remote sri files allowed")
+            .option("-v, --verify", "Optional flag, verify hashes in input");
+        program.parse(process.argv);
+        const options = program.opts();
+        // Extract values
+        const inputPath = options.input;
+        const outputPath = options.output;
+        const baseUrl = options.baseUrl;
+        const noRemote = options.noRemote || false;
+        const verify = options.verify || false;
+        // Read HTML file
+        const htmlContent = fs.readFileSync(inputPath, "utf-8");
+        const updatedHtml = await (0, lib_1.toHtmlWithSri)(htmlContent, path.dirname(inputPath), baseUrl, noRemote, verify);
+        (0, lib_1.handleUpdatedHtml)(process.stdout, outputPath, updatedHtml);
+    }
+    catch (error) {
+        console.error(`Error: ${error}`);
+        process.exit(1);
+    }
+};
+main().catch((error) => {
+    console.error(`Error: ${error}`);
+    process.exit(1);
+});

package/dist/src/lib.d.ts

@@ -0,0 +1,11 @@
+declare const extractLinkRel: (scriptOrLinkTag: string) => string | undefined;
+declare const isSriTag: (scriptOrLinkTag: string) => boolean;
+declare const toHtmlWithSri: (htmlContent: string, baseDir: string, baseUrl?: string, noRemote?: boolean, verify?: boolean) => Promise<string>;
+declare const getContent: (src: string, baseDir: string, baseUrl?: string, noRemote?: boolean) => Promise<Buffer>;
+declare const fetchRemoteContent: (src: string) => Promise<Buffer>;
+declare const readLocalContent: (src: string, baseDir: string, baseUrl: string) => Buffer;
+declare const calculateSha384: (content: Buffer) => string;
+declare const handleUpdatedHtml: (stdout: NodeJS.WriteStream, outputPath?: string, updatedHtml?: string) => void;
+declare const toSriScriptTag: (tag: string, integrity: string) => string;
+declare const ensureCrossoriginAnonymous: (tag: string) => string;
+export { extractLinkRel, isSriTag, toHtmlWithSri, getContent, readLocalContent, fetchRemoteContent, calculateSha384, ensureCrossoriginAnonymous, toSriScriptTag, handleUpdatedHtml, };

package/dist/src/lib.js

@@ -0,0 +1,262 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleUpdatedHtml = exports.toSriScriptTag = exports.ensureCrossoriginAnonymous = exports.calculateSha384 = exports.fetchRemoteContent = exports.readLocalContent = exports.getContent = exports.toHtmlWithSri = exports.isSriTag = exports.extractLinkRel = void 0;
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const node_crypto_1 = require("node:crypto");
+const extractLinkRel = (scriptOrLinkTag) => {
+    const re = /<link\s+[^>]*rel="([^"]*)"/;
+    const match = scriptOrLinkTag.match(re);
+    return match ? match[1] : undefined;
+};
+exports.extractLinkRel = extractLinkRel;
+const isSriTag = (scriptOrLinkTag) => {
+    const rel = extractLinkRel(scriptOrLinkTag);
+    if (rel) {
+        // Check link tags
+        // Split by whitespace to handle multiple rel values
+        const relValues = rel.split(/\s+/);
+        // Check for critical resource types
+        const criticalTypes = [
+            "style",
+            "stylesheet",
+            "preload",
+            "modulepreload",
+        ];
+        // If preload, check if it's preloading a style or script
+        if (relValues.includes("preload")) {
+            // Extract as attribute
+            const asPattern = /as="([^"]*)"/;
+            const asMatch = scriptOrLinkTag.match(asPattern);
+            if (asMatch) {
+                const asValue = asMatch[1];
+                return asValue === "style" || asValue === "script";
+            }
+            if (relValues.includes("stylesheet")) {
+                // handle case where rel contains both preload and stylesheet
+                return true;
+            }
+            if (relValues.includes("style")) {
+                // handle case where rel contains both preload and style
+                return true;
+            }
+            // Do not calculate sri for other preload link tags
+            return false;
+        }
+        // Check if link tag has sri rel
+        for (const relValue of relValues) {
+            if (criticalTypes.includes(relValue)) {
+                return true;
+            }
+        }
+        // Ignore other types of link tags
+        return false;
+    }
+    // Check if it's a script tag
+    if (scriptOrLinkTag.startsWith("<script")) {
+        return true;
+    }
+    // Not a script tag
+    return false;
+};
+exports.isSriTag = isSriTag;
+const toHtmlWithSri = async (htmlContent, baseDir, baseUrl, noRemote, verify) => {
+    // Find all script and link tags that should have integrity hashes
+    const re = /<(script|link)\s+[^>]*(?:src|href)="([^"]+)"[^>]*>/g;
+    let updatedHtml = htmlContent;
+    const matches = htmlContent.matchAll(re);
+    for (const [scriptOrLinkTag, _, src] of matches) {
+        // Skip non supported resources
+        if (!isSriTag(scriptOrLinkTag)) {
+            continue;
+        }
+        // Get content of script or link
+        try {
+            const content = await getContent(src, baseDir, baseUrl, noRemote);
+            // Calculate SHA-384 hash and create integrity attribute value
+            const hashHex = calculateSha384(content);
+            const integrity = `sha384-${hashHex}`;
+            if (verify) {
+                const oldHash = getIntegrityFromTag(scriptOrLinkTag);
+                if (!oldHash) {
+                    throw new Error(`Missing hash for ${src}, expected ${integrity}`);
+                }
+                if (oldHash !== integrity) {
+                    throw new Error(`Invalid hash ${oldHash} for ${src}, expected ${integrity}`);
+                }
+            }
+            // Create new script tag with integrity
+            const sriScriptTag = toSriScriptTag(scriptOrLinkTag, integrity);
+            // Replace in HTML
+            updatedHtml = updatedHtml.replace(scriptOrLinkTag, sriScriptTag);
+        }
+        catch (error) {
+            console.error(`Warning: Failed to process ${src}: ${error}`);
+            throw error;
+        }
+    }
+    return updatedHtml;
+};
+exports.toHtmlWithSri = toHtmlWithSri;
+const getIntegrityFromTag = (tag) => {
+    const integrityPattern = /integrity="([^"]*)"/;
+    const match = tag.match(integrityPattern);
+    return match ? match[1] : undefined;
+};
+const getContent = async (src, baseDir, baseUrl, noRemote) => {
+    // Handle remote vs local content
+    if (src.startsWith("http://") || src.startsWith("https://")) {
+        // If remote_base_url is provided and src starts with it, treat it as local content
+        if (baseUrl && src.startsWith(baseUrl)) {
+            return readLocalContent(src, baseDir, baseUrl);
+        }
+        if (noRemote) {
+            throw new Error("Remote sri resources not allowed");
+        }
+        return fetchRemoteContent(src);
+    }
+    // For relative src, read from file
+    return readLocalContent(src, baseDir, baseUrl || "");
+};
+exports.getContent = getContent;
+const fetchRemoteContent = async (src) => {
+    try {
+        // Using native fetch available in Node.js 18+
+        const response = await fetch(src);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch: ${response.statusText}`);
+        }
+        // Check content type
+        const contentType = response.headers.get("content-type") || "";
+        // Verify content type is appropriate for scripts or stylesheets
+        const validTypes = [
+            "text/javascript",
+            "application/javascript",
+            "application/x-javascript",
+            "text/css",
+            "text/plain",
+        ];
+        if (!validTypes.some((type) => contentType.includes(type))) {
+            throw new Error(`Unexpected content type '${contentType}' for resource '${src}'`);
+        }
+        const arrayBuffer = await response.arrayBuffer();
+        return Buffer.from(arrayBuffer);
+    }
+    catch (error) {
+        throw new Error(`Failed to fetch remote content from '${src}': ${error}`);
+    }
+};
+exports.fetchRemoteContent = fetchRemoteContent;
+const addTrailingSlashIfNotEmpty = (baseUrl) => {
+    if (baseUrl === "")
+        return baseUrl;
+    return baseUrl.endsWith("/") ? baseUrl : `${baseUrl}/`;
+};
+const toLocalPath = (src, baseDir, baseUrl) => {
+    const baseWithTrailingSlash = addTrailingSlashIfNotEmpty(baseUrl);
+    let localPath = src;
+    if (src.startsWith(baseWithTrailingSlash)) {
+        localPath = src.substring(baseWithTrailingSlash.length);
+    }
+    else if (src.startsWith(baseUrl)) {
+        localPath = src.substring(baseUrl.length);
+    }
+    // Remove any slash from start at file path before reading local file
+    const localPathWithoutStartingSlash = localPath.startsWith("/")
+        ? localPath.substring(1)
+        : localPath;
+    return path.join(baseDir, localPathWithoutStartingSlash);
+};
+const readLocalContent = (src, baseDir, baseUrl) => {
+    const filePath = toLocalPath(src, baseDir, baseUrl);
+    try {
+        return fs.readFileSync(filePath);
+    }
+    catch (error) {
+        throw new Error(`Failed to read file at path '${filePath}': ${error}`);
+    }
+};
+exports.readLocalContent = readLocalContent;
+const calculateSha384 = (content) => {
+    const hash = (0, node_crypto_1.createHash)("sha384").update(content).digest();
+    return hash.toString("base64");
+};
+exports.calculateSha384 = calculateSha384;
+const handleUpdatedHtml = (stdout, outputPath, updatedHtml) => {
+    if (!updatedHtml)
+        return;
+    if (outputPath) {
+        fs.writeFileSync(outputPath, updatedHtml);
+    }
+    else {
+        stdout.write(`${updatedHtml}\n`);
+    }
+};
+exports.handleUpdatedHtml = handleUpdatedHtml;
+const toSriScriptTag = (tag, integrity) => {
+    // First handle the integrity attribute
+    let newTag = tag;
+    if (tag.includes("integrity=")) {
+        // Replace existing integrity attribute
+        const reIntegrity = /integrity="[^"]*"/g;
+        newTag = newTag.replace(reIntegrity, `integrity="${integrity}"`);
+    }
+    else {
+        // Add integrity attribute
+        if (tag.endsWith("/>")) {
+            newTag = newTag.replace(/\/>$/, ` integrity="${integrity}"/>`);
+        }
+        else {
+            newTag = newTag.replace(/>$/, ` integrity="${integrity}">`);
+        }
+    }
+    // Ensure crossorigin attribute is set
+    return ensureCrossoriginAnonymous(newTag);
+};
+exports.toSriScriptTag = toSriScriptTag;
+const ensureCrossoriginAnonymous = (tag) => {
+    // Replace if exists
+    if (tag.includes("crossorigin=")) {
+        const reCrossorigin = /crossorigin="[^"]*"/g;
+        return tag.replace(reCrossorigin, 'crossorigin="anonymous"');
+    }
+    // Add crossorigin="anonymous" attribute if missing from tag
+    if (tag.endsWith("/>")) {
+        return tag.replace(/\/>$/, ' crossorigin="anonymous"/>');
+    }
+    return tag.replace(/>$/, ' crossorigin="anonymous">');
+};
+exports.ensureCrossoriginAnonymous = ensureCrossoriginAnonymous;

package/package.json

@@ -0,0 +1,57 @@
+{
+    "name": "@dintero/sri-to-dist",
+    "version": "1.0.3",
+    "description": "HTML tool for adding subresource integrity hashes",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "bin": {
+        "sri-to-dist": "bin/sri-to-dist.js"
+    },
+    "files": [
+        "dist",
+        "bin"
+    ],
+    "scripts": {
+        "build": "tsc",
+        "prepare": "npm run build",
+        "start": "node bin/sri-to-dist.js",
+        "test": "vitest run",
+        "test:watch": "vitest",
+        "lint": "biome lint .",
+        "format": "biome format . --write",
+        "prepublishOnly": "yarn run build"
+    },
+    "keywords": [
+        "subresource",
+        "integrity",
+        "sri",
+        "html",
+        "security"
+    ],
+    "homepage": "https://github.com/Dintero/sri-to-dist?tab=readme-ov-file#sri-to-dist",
+    "author": "Sven Nicolai Viig <sven@dintero.com> (http://dintero.com)",
+    "license": "MIT",
+    "devDependencies": {
+        "@biomejs/biome": "1.9.4",
+        "@types/node": "22.14.0",
+        "@types/temp": "0.9.4",
+        "semantic-release": "24.2.3",
+        "temp": "0.9.4",
+        "typescript": "5.8.2",
+        "vitest": "3.1.1"
+    },
+    "dependencies": {
+        "commander": "13.1.0"
+    },
+    "bugs": {
+        "url": "https://github.com/Dintero/sri-to-dist/issues"
+    },
+    "private": false,
+    "publishConfig": {
+        "access": "public"
+    },
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/Dintero/sri-to-dist.git"
+    }
+}