spark-html-sri 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -9
- package/package.json +4 -5
- package/src/bun.js +106 -0
- package/src/index.d.ts +1 -1
- package/src/index.js +3 -3
- package/src/vite.d.ts +0 -18
- package/src/vite.js +0 -117
package/README.md
CHANGED
|
@@ -12,12 +12,11 @@ sri();
|
|
|
12
12
|
```
|
|
13
13
|
|
|
14
14
|
```js
|
|
15
|
-
//
|
|
16
|
-
import
|
|
17
|
-
import
|
|
18
|
-
import sriPlugin from 'spark-html-sri/vite';
|
|
15
|
+
// spark.config.js — sri() runs last, after prerender()
|
|
16
|
+
import prerender from 'spark-prerender/bun';
|
|
17
|
+
import sriPlugin from 'spark-html-sri/bun';
|
|
19
18
|
|
|
20
|
-
export default {
|
|
19
|
+
export default { pipeline: [prerender(), sriPlugin()] };
|
|
21
20
|
```
|
|
22
21
|
|
|
23
22
|
## Install
|
|
@@ -28,8 +27,8 @@ npm install spark-html-sri
|
|
|
28
27
|
|
|
29
28
|
## What you get
|
|
30
29
|
|
|
31
|
-
**Local files — fully automatic, zero config.** At build time the
|
|
32
|
-
|
|
30
|
+
**Local files — fully automatic, zero config.** At build time the build
|
|
31
|
+
step hashes every JS/CSS file and every component fragment (SHA-384 by
|
|
33
32
|
default), stamps `integrity` + `crossorigin="anonymous"` onto the
|
|
34
33
|
`<script>`/`<link>` tags (the browser enforces those natively), and bakes
|
|
35
34
|
a path → hash manifest into each page. At runtime `sri()` verifies every
|
|
@@ -69,7 +68,7 @@ or `false` to override.
|
|
|
69
68
|
|
|
70
69
|
```js
|
|
71
70
|
sri({
|
|
72
|
-
manifest: { '/components/nav.html': 'sha384-…' }, // default: baked in by the
|
|
71
|
+
manifest: { '/components/nav.html': 'sha384-…' }, // default: baked in by the build step
|
|
73
72
|
allow: ['esm.sh'], // remote hosts (subdomains included)
|
|
74
73
|
enforce: 'auto', // true | false | 'auto' (auto = enforce unless localhost)
|
|
75
74
|
onViolation: (msg, url) => report(msg, url),
|
|
@@ -89,7 +88,7 @@ sriPlugin({ algorithm: 'sha384' }); // 'sha256' | 'sha384' | 'sha512'
|
|
|
89
88
|
| `verify(data, integrityString)` | Check data against an SRI string (space-separated list allowed). |
|
|
90
89
|
| `resetTofu()` | Forget every remembered remote-component hash. |
|
|
91
90
|
| `DEFAULT_ALLOW` | The default remote allow list. |
|
|
92
|
-
| `spark-html-sri/
|
|
91
|
+
| `spark-html-sri/bun` | Build step — hash, stamp, bake the manifest. |
|
|
93
92
|
|
|
94
93
|
## Why not put this in the core?
|
|
95
94
|
|
|
@@ -97,6 +96,32 @@ The spark-html runtime has a frozen 13 kB budget. Verification lives here
|
|
|
97
96
|
instead, as an opt-in wrapper around `fetch` — projects that don't use SRI
|
|
98
97
|
pay zero bytes, and the core stays tiny.
|
|
99
98
|
|
|
99
|
+
## The Spark family
|
|
100
|
+
|
|
101
|
+
Small, single-purpose packages that share one philosophy: no compiler, no
|
|
102
|
+
virtual DOM, no build step required. Add only what you use.
|
|
103
|
+
|
|
104
|
+
| Package | What it does |
|
|
105
|
+
|---|---|
|
|
106
|
+
| [`spark-html`](https://www.npmjs.com/package/spark-html) | The runtime — components, reactivity, stores, forms, scoped styles. 13 kB gzip, 0 deps. |
|
|
107
|
+
| [`spark-html-router`](https://www.npmjs.com/package/spark-html-router) | `<template route>` routing — nested routes/layouts, `route.query`, active links. |
|
|
108
|
+
| [`spark-html-theme`](https://www.npmjs.com/package/spark-html-theme) | Dark/light/system theming in one line — persisted, no flash. |
|
|
109
|
+
| [`spark-html-head`](https://www.npmjs.com/package/spark-html-head) | Reactive `<title>`/`<meta>` per route + a `head` store. |
|
|
110
|
+
| [`spark-html-motion`](https://www.npmjs.com/package/spark-html-motion) | Enter/leave transitions on if/each blocks — `transition="fade|slide|scale"`. |
|
|
111
|
+
| [`spark-html-devtools`](https://www.npmjs.com/package/spark-html-devtools) | In-page devtools — live stores, component tree, patch activity. |
|
|
112
|
+
| [`spark-html-query`](https://www.npmjs.com/package/spark-html-query) | Declarative async data — a self-fetching store (`loading`/`error`/`data`/`refetch`). |
|
|
113
|
+
| [`spark-html-persist`](https://www.npmjs.com/package/spark-html-persist) | Persist stores to localStorage/sessionStorage in one line. |
|
|
114
|
+
| [`spark-html-websocket`](https://www.npmjs.com/package/spark-html-websocket) | A WebSocket as a reactive store — auto-reconnect, JSON, `send()`. |
|
|
115
|
+
| [`spark-prerender`](https://www.npmjs.com/package/spark-prerender) | Build-time SEO prerender + sitemap/robots — no SSR server. |
|
|
116
|
+
| [`spark-html-image`](https://www.npmjs.com/package/spark-html-image) | Build-time image optimization — webp/avif + responsive `srcset`, zero config. |
|
|
117
|
+
| [`spark-html-font`](https://www.npmjs.com/package/spark-html-font) | Font loading optimizer — preload + size-adjusted fallbacks, no FOUT. |
|
|
118
|
+
| [`spark-html-manifest`](https://www.npmjs.com/package/spark-html-manifest) | PWA manifest + icons + head tags (and optional service worker) from one config. |
|
|
119
|
+
| [`spark-html-offline`](https://www.npmjs.com/package/spark-html-offline) | Offline URL imports — a service worker that caches CDN components. |
|
|
120
|
+
| [`spark-html-sri`](https://www.npmjs.com/package/spark-html-sri) | Subresource Integrity — hash + verify assets and remote components. |
|
|
121
|
+
| [`create-spark-html-app`](https://www.npmjs.com/package/create-spark-html-app) | Scaffold a spark-html app in one command. |
|
|
122
|
+
| [`prettier-plugin-spark`](https://www.npmjs.com/package/prettier-plugin-spark) | Prettier for components — formats `<script>`/`<style>`, markup stays byte-for-byte. |
|
|
123
|
+
| [`spark-html-language-server`](https://www.npmjs.com/package/spark-html-language-server) | LSP — diagnostics, go-to-definition, prop autocomplete, hover docs. |
|
|
124
|
+
|
|
100
125
|
## License
|
|
101
126
|
|
|
102
127
|
MIT
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "spark-html-sri",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"description": "Subresource Integrity for spark-html — auto-hash built assets and components, verify at runtime, and make URL-imported components safe with an origin allow list + trust-on-first-use. Zero dependencies.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./src/index.js",
|
|
@@ -11,9 +11,8 @@
|
|
|
11
11
|
"types": "./src/index.d.ts",
|
|
12
12
|
"default": "./src/index.js"
|
|
13
13
|
},
|
|
14
|
-
"./
|
|
15
|
-
"
|
|
16
|
-
"default": "./src/vite.js"
|
|
14
|
+
"./bun": {
|
|
15
|
+
"default": "./src/bun.js"
|
|
17
16
|
}
|
|
18
17
|
},
|
|
19
18
|
"scripts": {
|
|
@@ -34,7 +33,7 @@
|
|
|
34
33
|
"integrity",
|
|
35
34
|
"security",
|
|
36
35
|
"tofu",
|
|
37
|
-
"
|
|
36
|
+
"bun"
|
|
38
37
|
],
|
|
39
38
|
"license": "MIT"
|
|
40
39
|
}
|
package/src/bun.js
ADDED
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* spark-html-sri/bun — hash the build, stamp the pages, as a spark-html-bun
|
|
3
|
+
* pipeline step. Put it LAST in the pipeline: it must see the final bytes of
|
|
4
|
+
* every asset and fragment (prerender/image/font all rewrite HTML).
|
|
5
|
+
*
|
|
6
|
+
* 1. hashes every .js/.css in the output and adds `integrity` +
|
|
7
|
+
* `crossorigin="anonymous"` to the <script src> / <link rel=stylesheet>
|
|
8
|
+
* tags that reference them — the browser enforces these natively;
|
|
9
|
+
* 2. hashes every component fragment (.html without <head>) into a
|
|
10
|
+
* manifest and bakes it into the page as
|
|
11
|
+
* <script type="application/json" data-spark-sri>…</script> — the
|
|
12
|
+
* sri() runtime picks it up with zero config.
|
|
13
|
+
*
|
|
14
|
+
* import sri from 'spark-html-sri/bun';
|
|
15
|
+
* export default { pipeline: [prerender(), image(), sri()] };
|
|
16
|
+
*/
|
|
17
|
+
import { join, resolve, relative, sep } from 'node:path';
|
|
18
|
+
import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
|
|
19
|
+
import { existsSync } from 'node:fs';
|
|
20
|
+
import { createHash } from 'node:crypto';
|
|
21
|
+
|
|
22
|
+
async function walk(dir) {
|
|
23
|
+
const out = [];
|
|
24
|
+
for (const name of await readdir(dir)) {
|
|
25
|
+
const full = join(dir, name);
|
|
26
|
+
const s = await stat(full);
|
|
27
|
+
if (s.isDirectory()) out.push(...await walk(full));
|
|
28
|
+
else out.push(full);
|
|
29
|
+
}
|
|
30
|
+
return out;
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
function sriHash(buf, algo) {
|
|
34
|
+
return `${algo}-${createHash(algo).update(buf).digest('base64')}`;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
// Attribute-order-agnostic tag rewriting: find <script src>/<link stylesheet>
|
|
38
|
+
// tags, resolve their URL against the manifest, splice the attributes in.
|
|
39
|
+
function stampTags(html, lookup) {
|
|
40
|
+
return html
|
|
41
|
+
.replace(/<script\b[^>]*\bsrc\s*=\s*"([^"]+)"[^>]*>/g, (tag, src) => stamp(tag, src, lookup))
|
|
42
|
+
.replace(/<link\b[^>]*\brel\s*=\s*"stylesheet"[^>]*>/g, (tag) => {
|
|
43
|
+
const href = (tag.match(/\bhref\s*=\s*"([^"]+)"/) || [])[1];
|
|
44
|
+
return href ? stamp(tag, href, lookup) : tag;
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
function stamp(tag, url, lookup) {
|
|
49
|
+
if (/\bintegrity\s*=/.test(tag)) return tag; // already stamped
|
|
50
|
+
if (/^(https?:)?\/\//.test(url)) return tag; // remote — not ours to hash
|
|
51
|
+
const hash = lookup(url.split(/[?#]/)[0]);
|
|
52
|
+
if (!hash) return tag;
|
|
53
|
+
const attrs = ` integrity="${hash}"` + (/\bcrossorigin\b/.test(tag) ? '' : ' crossorigin="anonymous"');
|
|
54
|
+
return tag.replace(/\s*\/?>$/, (end) => `${attrs}${end}`);
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
/**
|
|
58
|
+
* @param {object} [options]
|
|
59
|
+
* @param {'sha256'|'sha384'|'sha512'} [options.algorithm='sha384']
|
|
60
|
+
*/
|
|
61
|
+
export default function sparkSri(options = {}) {
|
|
62
|
+
const algo = options.algorithm || 'sha384';
|
|
63
|
+
return {
|
|
64
|
+
name: 'spark-html-sri',
|
|
65
|
+
async run({ outDir, base = '/' }) {
|
|
66
|
+
const root = resolve(outDir);
|
|
67
|
+
if (!existsSync(root)) return;
|
|
68
|
+
const baseDir = base.endsWith('/') ? base : base + '/';
|
|
69
|
+
|
|
70
|
+
const files = await walk(root);
|
|
71
|
+
const manifest = {}; // served pathname → sri string
|
|
72
|
+
const pages = [];
|
|
73
|
+
for (const file of files) {
|
|
74
|
+
const pathname = baseDir + relative(root, file).split(sep).join('/');
|
|
75
|
+
if (/\.(js|css)$/.test(file)) {
|
|
76
|
+
manifest[pathname] = sriHash(await readFile(file), algo);
|
|
77
|
+
} else if (file.endsWith('.html')) {
|
|
78
|
+
const html = await readFile(file, 'utf8');
|
|
79
|
+
if (/<\/head>/i.test(html)) pages.push({ file, html });
|
|
80
|
+
else manifest[pathname] = sriHash(Buffer.from(html), algo); // component fragment
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
const json = JSON.stringify(manifest);
|
|
85
|
+
let stamped = 0;
|
|
86
|
+
for (const { file, html } of pages) {
|
|
87
|
+
if (html.includes('data-spark-sri')) continue; // idempotent
|
|
88
|
+
// Resolve a tag's URL to a manifest key: absolute pathnames match
|
|
89
|
+
// directly; relative ones resolve against the page's directory.
|
|
90
|
+
const pageDir = baseDir + relative(root, join(file, '..')).split(sep).join('/');
|
|
91
|
+
const lookup = (url) => {
|
|
92
|
+
if (url.startsWith('/')) return manifest[url] || manifest[baseDir.replace(/\/$/, '') + url];
|
|
93
|
+
const dir = pageDir === baseDir + '.' ? baseDir : pageDir + '/';
|
|
94
|
+
return manifest[dir.replace(/\/\.\//, '/') + url.replace(/^\.\//, '')];
|
|
95
|
+
};
|
|
96
|
+
let out = stampTags(html, lookup);
|
|
97
|
+
out = out.replace(/<\/head>/i, `<script type="application/json" data-spark-sri>${json}</script>\n</head>`);
|
|
98
|
+
await writeFile(file, out, 'utf8');
|
|
99
|
+
stamped++;
|
|
100
|
+
}
|
|
101
|
+
if (stamped) {
|
|
102
|
+
console.log(`[spark-html-sri] ${Object.keys(manifest).length} asset(s) hashed, ${stamped} page(s) stamped`);
|
|
103
|
+
}
|
|
104
|
+
},
|
|
105
|
+
};
|
|
106
|
+
}
|
package/src/index.d.ts
CHANGED
|
@@ -16,7 +16,7 @@ export function verify(
|
|
|
16
16
|
): Promise<boolean>;
|
|
17
17
|
|
|
18
18
|
export interface SriOptions {
|
|
19
|
-
/** path → SRI string. Default: the manifest the
|
|
19
|
+
/** path → SRI string. Default: the manifest the build step baked into the page. */
|
|
20
20
|
manifest?: Record<string, string>;
|
|
21
21
|
/** Allowed remote hosts for URL imports (subdomains included). */
|
|
22
22
|
allow?: string[];
|
package/src/index.js
CHANGED
|
@@ -4,8 +4,8 @@
|
|
|
4
4
|
* Two halves, one mental model (`<script integrity>` — familiar to every
|
|
5
5
|
* web developer):
|
|
6
6
|
*
|
|
7
|
-
* **Local files** — fully automatic, zero config. The
|
|
8
|
-
* (spark-html-sri/
|
|
7
|
+
* **Local files** — fully automatic, zero config. The build step
|
|
8
|
+
* (spark-html-sri/bun) hashes every built JS/CSS/component fragment,
|
|
9
9
|
* injects `integrity` + `crossorigin` into `<script>`/`<link>` tags, and
|
|
10
10
|
* bakes a manifest into each page. At runtime `sri()` verifies every
|
|
11
11
|
* component fetch against that manifest before spark-html boots it.
|
|
@@ -120,7 +120,7 @@ function blockedResponse(reason) {
|
|
|
120
120
|
*
|
|
121
121
|
* @param {object} [options]
|
|
122
122
|
* @param {Record<string,string>} [options.manifest] path → SRI string. Default: the
|
|
123
|
-
* manifest the
|
|
123
|
+
* manifest the build step baked into the page (absent in dev — nothing to verify).
|
|
124
124
|
* @param {string[]} [options.allow] Allowed remote hosts for URL imports
|
|
125
125
|
* (default: jsdelivr/unpkg/esm.sh/raw.githubusercontent — subdomains included).
|
|
126
126
|
* @param {boolean|'auto'} [options.enforce='auto'] Block on failure. 'auto'
|
package/src/vite.d.ts
DELETED
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
import type { SriAlgorithm } from './index.js';
|
|
2
|
-
|
|
3
|
-
export interface SriVitePluginOptions {
|
|
4
|
-
/** Hash algorithm for assets and the manifest (default 'sha384'). */
|
|
5
|
-
algorithm?: SriAlgorithm;
|
|
6
|
-
}
|
|
7
|
-
|
|
8
|
-
/**
|
|
9
|
-
* Vite plugin: hashes every built JS/CSS/component fragment, stamps
|
|
10
|
-
* integrity + crossorigin onto script/link tags, and bakes the manifest
|
|
11
|
-
* into each page. Put it after prerender() in `plugins`.
|
|
12
|
-
*/
|
|
13
|
-
export default function sparkSri(options?: SriVitePluginOptions): {
|
|
14
|
-
name: string;
|
|
15
|
-
apply: 'build';
|
|
16
|
-
configResolved(config: unknown): void;
|
|
17
|
-
closeBundle: { order: 'post'; handler(): Promise<void> };
|
|
18
|
-
};
|
package/src/vite.js
DELETED
|
@@ -1,117 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* spark-html-sri/vite — hash the build, stamp the pages.
|
|
3
|
-
*
|
|
4
|
-
* Runs in closeBundle (order post, after spark-prerender has written its
|
|
5
|
-
* per-route HTML — put it after prerender() in `plugins`). For every page:
|
|
6
|
-
*
|
|
7
|
-
* 1. hashes every .js/.css in the output and adds `integrity` +
|
|
8
|
-
* `crossorigin="anonymous"` to the <script src> / <link rel=stylesheet>
|
|
9
|
-
* tags that reference them — the browser enforces these natively;
|
|
10
|
-
* 2. hashes every component fragment (.html without <head>) into a
|
|
11
|
-
* manifest and bakes it into the page as
|
|
12
|
-
* <script type="application/json" data-spark-sri>…</script> — the
|
|
13
|
-
* sri() runtime picks it up with zero config.
|
|
14
|
-
*
|
|
15
|
-
* import sriPlugin from 'spark-html-sri/vite';
|
|
16
|
-
* plugins: [spark(), prerender(), sriPlugin()]
|
|
17
|
-
*/
|
|
18
|
-
import { join, resolve, relative, sep } from 'node:path';
|
|
19
|
-
import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
|
|
20
|
-
import { existsSync } from 'node:fs';
|
|
21
|
-
import { createHash } from 'node:crypto';
|
|
22
|
-
|
|
23
|
-
async function walk(dir) {
|
|
24
|
-
const out = [];
|
|
25
|
-
for (const name of await readdir(dir)) {
|
|
26
|
-
const full = join(dir, name);
|
|
27
|
-
const s = await stat(full);
|
|
28
|
-
if (s.isDirectory()) out.push(...await walk(full));
|
|
29
|
-
else out.push(full);
|
|
30
|
-
}
|
|
31
|
-
return out;
|
|
32
|
-
}
|
|
33
|
-
|
|
34
|
-
function sriHash(buf, algo) {
|
|
35
|
-
return `${algo}-${createHash(algo).update(buf).digest('base64')}`;
|
|
36
|
-
}
|
|
37
|
-
|
|
38
|
-
// Attribute-order-agnostic tag rewriting: find <script src>/<link stylesheet>
|
|
39
|
-
// tags, resolve their URL against the manifest, splice the attributes in.
|
|
40
|
-
function stampTags(html, lookup) {
|
|
41
|
-
return html
|
|
42
|
-
.replace(/<script\b[^>]*\bsrc\s*=\s*"([^"]+)"[^>]*>/g, (tag, src) => stamp(tag, src, lookup))
|
|
43
|
-
.replace(/<link\b[^>]*\brel\s*=\s*"stylesheet"[^>]*>/g, (tag) => {
|
|
44
|
-
const href = (tag.match(/\bhref\s*=\s*"([^"]+)"/) || [])[1];
|
|
45
|
-
return href ? stamp(tag, href, lookup) : tag;
|
|
46
|
-
});
|
|
47
|
-
}
|
|
48
|
-
|
|
49
|
-
function stamp(tag, url, lookup) {
|
|
50
|
-
if (/\bintegrity\s*=/.test(tag)) return tag; // already stamped
|
|
51
|
-
if (/^(https?:)?\/\//.test(url)) return tag; // remote — not ours to hash
|
|
52
|
-
const hash = lookup(url.split(/[?#]/)[0]);
|
|
53
|
-
if (!hash) return tag;
|
|
54
|
-
const attrs = ` integrity="${hash}"` + (/\bcrossorigin\b/.test(tag) ? '' : ' crossorigin="anonymous"');
|
|
55
|
-
return tag.replace(/\s*\/?>$/, (end) => `${attrs}${end}`);
|
|
56
|
-
}
|
|
57
|
-
|
|
58
|
-
/**
|
|
59
|
-
* @param {object} [options]
|
|
60
|
-
* @param {'sha256'|'sha384'|'sha512'} [options.algorithm='sha384']
|
|
61
|
-
*/
|
|
62
|
-
export default function sparkSri(options = {}) {
|
|
63
|
-
const algo = options.algorithm || 'sha384';
|
|
64
|
-
let outDir = 'dist';
|
|
65
|
-
let base = '/';
|
|
66
|
-
return {
|
|
67
|
-
name: 'spark-html-sri',
|
|
68
|
-
apply: 'build',
|
|
69
|
-
configResolved(viteConfig) {
|
|
70
|
-
if (viteConfig && viteConfig.build && viteConfig.build.outDir) outDir = viteConfig.build.outDir;
|
|
71
|
-
if (viteConfig && viteConfig.base) base = viteConfig.base;
|
|
72
|
-
},
|
|
73
|
-
closeBundle: {
|
|
74
|
-
order: 'post',
|
|
75
|
-
async handler() {
|
|
76
|
-
const root = resolve(outDir);
|
|
77
|
-
if (!existsSync(root)) return;
|
|
78
|
-
const baseDir = base.endsWith('/') ? base : base + '/';
|
|
79
|
-
|
|
80
|
-
const files = await walk(root);
|
|
81
|
-
const manifest = {}; // served pathname → sri string
|
|
82
|
-
const pages = [];
|
|
83
|
-
for (const file of files) {
|
|
84
|
-
const pathname = baseDir + relative(root, file).split(sep).join('/');
|
|
85
|
-
if (/\.(js|css)$/.test(file)) {
|
|
86
|
-
manifest[pathname] = sriHash(await readFile(file), algo);
|
|
87
|
-
} else if (file.endsWith('.html')) {
|
|
88
|
-
const html = await readFile(file, 'utf8');
|
|
89
|
-
if (/<\/head>/i.test(html)) pages.push({ file, html });
|
|
90
|
-
else manifest[pathname] = sriHash(Buffer.from(html), algo); // component fragment
|
|
91
|
-
}
|
|
92
|
-
}
|
|
93
|
-
|
|
94
|
-
const json = JSON.stringify(manifest);
|
|
95
|
-
let stamped = 0;
|
|
96
|
-
for (const { file, html } of pages) {
|
|
97
|
-
if (html.includes('data-spark-sri')) continue; // idempotent
|
|
98
|
-
// Resolve a tag's URL to a manifest key: absolute pathnames match
|
|
99
|
-
// directly; relative ones resolve against the page's directory.
|
|
100
|
-
const pageDir = baseDir + relative(root, join(file, '..')).split(sep).join('/');
|
|
101
|
-
const lookup = (url) => {
|
|
102
|
-
if (url.startsWith('/')) return manifest[url] || manifest[baseDir.replace(/\/$/, '') + url];
|
|
103
|
-
const dir = pageDir === baseDir + '.' ? baseDir : pageDir + '/';
|
|
104
|
-
return manifest[dir.replace(/\/\.\//, '/') + url.replace(/^\.\//, '')];
|
|
105
|
-
};
|
|
106
|
-
let out = stampTags(html, lookup);
|
|
107
|
-
out = out.replace(/<\/head>/i, `<script type="application/json" data-spark-sri>${json}</script>\n</head>`);
|
|
108
|
-
await writeFile(file, out, 'utf8');
|
|
109
|
-
stamped++;
|
|
110
|
-
}
|
|
111
|
-
if (stamped) {
|
|
112
|
-
console.log(`[spark-html-sri] ${Object.keys(manifest).length} asset(s) hashed, ${stamped} page(s) stamped`);
|
|
113
|
-
}
|
|
114
|
-
},
|
|
115
|
-
},
|
|
116
|
-
};
|
|
117
|
-
}
|