@localnerve/csp-hashes 2.0.0 → 2.0.2

package/index.js

@@ -4,7 +4,7 @@
  * Return a Vinyl transform object stream to process html files for
  * generating the required CSP hashes for inline and attribute scripts, styles.
  * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Copyright (c) 2022-2023 Alex Grant (@localnerve), LocalNerve LLC
  * Licensed under the MIT license.
  */
 /* eslint-env node */

package/lib/index.js

@@ -4,7 +4,7 @@
  * Return a Vinyl transform object stream to process html files for
  * generating the required CSP hashes for inline and attribute scripts, styles.
  * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Copyright (c) 2022-2023 Alex Grant (@localnerve), LocalNerve LLC
  * Licensed under the MIT license.
  */
 import { Transform } from 'stream';

package/lib/removeCspMeta.js

@@ -4,7 +4,7 @@
  * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
  * Useful for development builds that need to ignore CSP meta tags.
  * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
+ * Copyright (c) 2022-2023 Alex Grant (@localnerve), LocalNerve LLC
  * Licensed under the MIT license.
  */
 import { Transform } from 'stream';

package/license.md

@@ -1,4 +1,4 @@
-Copyright 2022, Alex Grant, LocalNerve, LLC
+Copyright 2022-2023, Alex Grant, LocalNerve, LLC
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

package/package.json

@@ -1,31 +1,24 @@
 {
   "name": "@localnerve/csp-hashes",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "Flexible library to generate CSP hashes",
-  "main": "dist/index.js",
+  "main": "index.js",
   "type": "module",
   "exports": {
-    "import": "./dist/index.js",
-    "require": "./dist/cjs/index.js",
-    "default": "./dist/index.js"
+    "import": "./index.js",
+    "default": "./index.js"
   },
   "scripts": {
     "lint": "eslint .",
-    "transpile": "babel --out-dir ./dist/cjs index.js && babel --out-dir ./dist/cjs/lib ./lib",
-    "preprepublishOnly": "rimraf ./dist && npm run transpile",
-    "prepublishOnly": "node -e 'require(\"fs\").copyFileSync(\"./index.js\", \"./dist/index.js\");'",
-    "postprepublishOnly": "node -e 'require(\"fs\").cpSync(\"./lib\", \"./dist/lib\", {recursive: true});'",
     "pretest": "node -e 'try{require(\"fs\").symlinkSync(\"../lib\", \"./__tests__/lib\");}catch(e){}'",
     "test": "jest",
     "test:debug": "node --inspect-brk ./node_modules/.bin/jest"
   },
   "devDependencies": {
-    "@babel/cli": "^7.19.3",
     "@babel/preset-env": "^7.20.2",
-    "eslint": "^8.30.0",
-    "jest": "^29.3.1",
-    "rimraf": "^3.0.2",
-    "vinyl": "^2.2.1"
+    "eslint": "^8.33.0",
+    "jest": "^29.4.1",
+    "vinyl": "^3.0.0"
   },
   "dependencies": {
     "cheerio": "^1.0.0-rc.12"

package/readme.md

@@ -8,6 +8,7 @@
 
 ## Contents
 + [Overview](#overview)
++ [Breaking Changes](#breaking-changes)
 + [API](#API)
   + [Options](#options)
     + [Callback Function](#callback-function)
@@ -15,11 +16,15 @@
 + [Example Usage](#example-usage)
   + [CSP Headers](#build-step-to-maintain-csp-headers)
   + [Meta Tag](#build-step-to-maintain-csp-meta-tags)
+  + [Non-Esm Usage](#non-esm-usage)
 + [MIT License](#license)
 
 ## Overview
 This Nodejs library generates script and style inline element and attribute hashes. It is for use in the generation of HTTP content security policy (CSP) headers or to replace/update Meta tags as a website build step. Ready for use with [Gulp](https://github.com/gulpjs/gulp).
 
+## Breaking Changes
++ As of Version 2+, this is an ES Module. See [Non-Esm Usage](#non-esm-usage) for how to use outside of ESM.
+
 ## Prerequisites
 + NodeJS 14+
 
@@ -154,6 +159,19 @@ export function stripCspMetaContents (settings) {
 }
 ```
 
+### Non-ESM usage
+As of Version 2, this package is an ES Module, making it incompatible with `require`. To use outside of ESM, you can use this with a dynamic import as in the following example:
+
+```javascript
+import('@localnerve/csp-hashes').then(({ hashstream }) => {
+  hashstream({
+    callback: (p, hashes, contents) => {
+      // do stuff
+    }
+  });
+});
+```
+
 ## LICENSE
 
 * [MIT, Alex Grant, LocalNerve, LLC](license.md)

package/dist/cjs/index.js

@@ -1,24 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-Object.defineProperty(exports, "default", {
-  enumerable: true,
-  get: function () {
-    return _index.hashstream;
-  }
-});
-Object.defineProperty(exports, "hashstream", {
-  enumerable: true,
-  get: function () {
-    return _index.hashstream;
-  }
-});
-Object.defineProperty(exports, "removeCspMeta", {
-  enumerable: true,
-  get: function () {
-    return _index.removeCspMeta;
-  }
-});
-var _index = require("./lib/index.js");

package/dist/cjs/lib/index.js

@@ -1,111 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.default = exports.hashstream = hashstream;
-Object.defineProperty(exports, "removeCspMeta", {
-  enumerable: true,
-  get: function () {
-    return _removeCspMeta.removeCspMeta;
-  }
-});
-var _stream = require("stream");
-var _crypto = _interopRequireDefault(require("crypto"));
-var _cheerio = _interopRequireDefault(require("cheerio"));
-var _removeCspMeta = require("./removeCspMeta.js");
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-/**
- * CSP Hashes.
- * 
- * Return a Vinyl transform object stream to process html files for
- * generating the required CSP hashes for inline and attribute scripts, styles.
- * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
- * Licensed under the MIT license.
- */
-
-/**
- * Collect all CSP Hashes and fill the given `hashes` structure.
- *
- * @param {Function} hashFn - Creates and formats a csp hash
- * @param {Buffer} html - The html content
- * @param {Object} hashes - The hash structure to fill
- */
-function collectHashes(hashFn, html, hashes) {
-  const $ = _cheerio.default.load(html);
-  Object.keys(hashes).forEach(what => {
-    hashes[what].elements = $(`${what}:not([src])`).map((i, el) => hashFn($(el).html())).toArray();
-  });
-  hashes.style.attributes.push(...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray());
-  const eventHandlerRe = /^on/i;
-  const jsUrlRe = /^javascript:/i;
-  $('*').each(function (i, el) {
-    for (const attrName in el.attribs) {
-      if (eventHandlerRe.test(attrName)) {
-        hashes.script.attributes.push(hashFn(el.attribs[attrName]));
-      }
-      if (jsUrlRe.test(el.attribs[attrName])) {
-        hashes.script.attributes.push(hashFn(el.attribs[attrName].split(jsUrlRe)[1]));
-      }
-    }
-  });
-}
-
-/**
- * hashstream
- * Accepts the processing options and returns the Vinyl transform object stream.
- *
- * @param {Object} options
- * @param {Function} options.callback - Function to call to process the csp hashes.
- * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
- * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
- * @returns Transform object stream to process Vinyl objects.
- */
-function hashstream({
-  algo = 'sha256',
-  replace = false,
-  callback = null
-} = {}) {
-  if (!/^sha(256|384|512)$/.test(algo)) {
-    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
-  }
-  if (typeof callback !== 'function') {
-    throw new Error('callback option must be a valid function.');
-  }
-  const createHash = r => _crypto.default.createHash(algo).update(r).digest('base64');
-  const formatHash = h => `'${algo}-${h}'`;
-  const makeCSPHash = s => formatHash(createHash(s));
-  const transformObjectStream = new _stream.Transform({
-    objectMode: true,
-    transform: (vinyl, enc, done) => {
-      const path = vinyl.path;
-      const content = vinyl.contents;
-      const hashes = {
-        script: {
-          elements: [],
-          attributes: [],
-          get all() {
-            return this.elements.concat(this.attributes);
-          }
-        },
-        style: {
-          elements: [],
-          attributes: [],
-          get all() {
-            return this.elements.concat(this.attributes);
-          }
-        }
-      };
-      collectHashes(makeCSPHash, content, hashes);
-      if (replace) {
-        const s = callback(path, hashes, content.toString());
-        vinyl.contents = Buffer.from(s, enc);
-      } else {
-        callback(path, hashes);
-      }
-      done(null, vinyl);
-    }
-  });
-  return transformObjectStream;
-}

package/dist/cjs/lib/removeCspMeta.js

@@ -1,35 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.default = exports.removeCspMeta = removeCspMeta;
-var _stream = require("stream");
-/**
- * removeCspMeta.js
- * 
- * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
- * Useful for development builds that need to ignore CSP meta tags.
- * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
- * Licensed under the MIT license.
- */
-
-function removeCspMeta() {
-  return new _stream.Transform({
-    objectMode: true,
-    transform: (vinyl, enc, done) => {
-      var _vinyl$contents;
-      let e = null;
-      const input = vinyl === null || vinyl === void 0 ? void 0 : (_vinyl$contents = vinyl.contents) === null || _vinyl$contents === void 0 ? void 0 : _vinyl$contents.toString();
-      if (input) {
-        const output = input.replace(/("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"');
-        vinyl.contents = Buffer.from(output, enc);
-      } else {
-        e = new Error('removeCspMeta could not get Vinyl object file contents');
-        e.errorCode = 'EBADINPUT';
-      }
-      done(e, vinyl);
-    }
-  });
-}

package/dist/index.js

@@ -1,11 +0,0 @@
-/**
- * CSP Hashes.
- * 
- * Return a Vinyl transform object stream to process html files for
- * generating the required CSP hashes for inline and attribute scripts, styles.
- * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
- * Licensed under the MIT license.
- */
-/* eslint-env node */
-export { hashstream as default, hashstream, removeCspMeta } from './lib/index.js';

package/dist/lib/index.js

@@ -1,121 +0,0 @@
-/**
- * CSP Hashes.
- * 
- * Return a Vinyl transform object stream to process html files for
- * generating the required CSP hashes for inline and attribute scripts, styles.
- * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
- * Licensed under the MIT license.
- */
-import { Transform } from 'stream';
-import crypto from 'crypto';
-import cheerio from 'cheerio';
-export { removeCspMeta } from './removeCspMeta.js';
-
-/**
- * Collect all CSP Hashes and fill the given `hashes` structure.
- *
- * @param {Function} hashFn - Creates and formats a csp hash
- * @param {Buffer} html - The html content
- * @param {Object} hashes - The hash structure to fill
- */
-function collectHashes (hashFn, html, hashes) {
-  const $ = cheerio.load(html);
-
-  Object.keys(hashes).forEach(what => {
-    hashes[what].elements = $(`${what}:not([src])`).map(
-      (i, el) => hashFn($(el).html())
-    ).toArray();
-  });
-
-  hashes.style.attributes.push(
-    ...$('[style]').map((i, el) => hashFn($(el).attr('style'))).toArray()
-  );
-
-  const eventHandlerRe = /^on/i;
-  const jsUrlRe = /^javascript:/i;
-
-  $('*').each(function (i, el) {
-    for (const attrName in el.attribs) {
-      if (eventHandlerRe.test(attrName)) {
-        hashes.script.attributes.push(
-          hashFn(el.attribs[attrName])
-        );
-      }
-      if (jsUrlRe.test(el.attribs[attrName])) {
-        hashes.script.attributes.push(
-          hashFn(el.attribs[attrName].split(jsUrlRe)[1])
-        );
-      }
-    }
-  });
-}
-
-/**
- * hashstream
- * Accepts the processing options and returns the Vinyl transform object stream.
- *
- * @param {Object} options
- * @param {Function} options.callback - Function to call to process the csp hashes.
- * @param {String} [options.algo] - hash algorithm, default sha256. Can be sha384, sha512.
- * @param {Boolean} [options.replace] - True if callback is used for meta html replacements, defaults to false.
- * @returns Transform object stream to process Vinyl objects.
- */
-export function hashstream ({
-  algo = 'sha256',
-  replace = false,
-  callback = null
-} = {}) {
-
-  if (!/^sha(256|384|512)$/.test(algo)) {
-    throw new Error('algo option must be one of "sha256", "sha384", or "sha512" only.');
-  }
-
-  if (typeof callback !== 'function') {
-    throw new Error('callback option must be a valid function.');
-  }
-
-  const createHash = r => crypto.createHash(algo).update(r).digest('base64');
-  const formatHash = h => `'${algo}-${h}'`;
-  const makeCSPHash = s => formatHash(createHash(s));
-
-  const transformObjectStream = new Transform({
-    objectMode: true,
-    transform: (vinyl, enc, done) => {
-      const path = vinyl.path;
-      const content = vinyl.contents;
-  
-      const hashes = {
-        script: {
-          elements: [],
-          attributes: [],
-          get all () {
-            return this.elements.concat(this.attributes);
-          }
-        },
-        style: {
-          elements: [],
-          attributes: [],
-          get all () {
-            return this.elements.concat(this.attributes);
-          }
-        }
-      };
-  
-      collectHashes(makeCSPHash, content, hashes);
-  
-      if (replace) {
-        const s = callback(path, hashes, content.toString());
-        vinyl.contents = Buffer.from(s, enc);
-      } else {
-        callback(path, hashes);
-      }
-  
-      done(null, vinyl);
-    }
-  });
-
-  return transformObjectStream;
-}
-
-export { hashstream as default }

package/dist/lib/removeCspMeta.js

@@ -1,32 +0,0 @@
-/**
- * removeCspMeta.js
- * 
- * A convenience method to remove the content of a Content-Security-Policy in a meta tag.
- * Useful for development builds that need to ignore CSP meta tags.
- * 
- * Copyright (c) 2022 Alex Grant (@localnerve), LocalNerve LLC
- * Licensed under the MIT license.
- */
-import { Transform } from 'stream';
-
-export function removeCspMeta () {
-  return new Transform({
-    objectMode: true,
-    transform: (vinyl, enc, done) => {
-      let e = null;
-      const input = vinyl?.contents?.toString();
-      if (input) {
-        const output = input.replace(
-          /("?Content-Security-Policy"?)(\s+)(content=")([^"]+)"/i, '$1$2$3$2"'
-        );
-        vinyl.contents = Buffer.from(output, enc);
-      } else {
-        e = new Error('removeCspMeta could not get Vinyl object file contents');
-        e.errorCode = 'EBADINPUT';
-      }
-      done(e, vinyl);
-    }
-  });
-}
-
-export { removeCspMeta as default }