spark-html-sri 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -12,24 +12,23 @@ sri();
12
12
  ```
13
13
 
14
14
  ```js
15
- // vite.config.js — after prerender()
16
- import spark from 'spark-html/vite';
17
- import prerender from 'spark-prerender/vite';
18
- import sriPlugin from 'spark-html-sri/vite';
15
+ // spark.config.js — sri() runs last, after prerender()
16
+ import prerender from 'spark-prerender/bun';
17
+ import sriPlugin from 'spark-html-sri/bun';
19
18
 
20
- export default { plugins: [spark(), prerender(), sriPlugin()] };
19
+ export default { pipeline: [prerender(), sriPlugin()] };
21
20
  ```
22
21
 
23
22
  ## Install
24
23
 
25
24
  ```bash
26
- npm install spark-html-sri
25
+ bun add spark-html-sri
27
26
  ```
28
27
 
29
28
  ## What you get
30
29
 
31
- **Local files — fully automatic, zero config.** At build time the vite
32
- plugin hashes every JS/CSS file and every component fragment (SHA-384 by
30
+ **Local files — fully automatic, zero config.** At build time the build
31
+ step hashes every JS/CSS file and every component fragment (SHA-384 by
33
32
  default), stamps `integrity` + `crossorigin="anonymous"` onto the
34
33
  `<script>`/`<link>` tags (the browser enforces those natively), and bakes
35
34
  a path → hash manifest into each page. At runtime `sri()` verifies every
@@ -69,7 +68,7 @@ or `false` to override.
69
68
 
70
69
  ```js
71
70
  sri({
72
- manifest: { '/components/nav.html': 'sha384-…' }, // default: baked in by the vite plugin
71
+ manifest: { '/components/nav.html': 'sha384-…' }, // default: baked in by the build step
73
72
  allow: ['esm.sh'], // remote hosts (subdomains included)
74
73
  enforce: 'auto', // true | false | 'auto' (auto = enforce unless localhost)
75
74
  onViolation: (msg, url) => report(msg, url),
@@ -89,7 +88,7 @@ sriPlugin({ algorithm: 'sha384' }); // 'sha256' | 'sha384' | 'sha512'
89
88
  | `verify(data, integrityString)` | Check data against an SRI string (space-separated list allowed). |
90
89
  | `resetTofu()` | Forget every remembered remote-component hash. |
91
90
  | `DEFAULT_ALLOW` | The default remote allow list. |
92
- | `spark-html-sri/vite` | Build plugin — hash, stamp, bake the manifest. |
91
+ | `spark-html-sri/bun` | Build step — hash, stamp, bake the manifest. |
93
92
 
94
93
  ## Why not put this in the core?
95
94
 
@@ -105,6 +104,7 @@ virtual DOM, no build step required. Add only what you use.
105
104
  | Package | What it does |
106
105
  |---|---|
107
106
  | [`spark-html`](https://www.npmjs.com/package/spark-html) | The runtime — components, reactivity, stores, forms, scoped styles. 13 kB gzip, 0 deps. |
107
+ | [`spark-html-bun`](https://www.npmjs.com/package/spark-html-bun) | Dev server, bundler & preview on Bun — scoped HMR, no-build dev, post-build pipeline. |
108
108
  | [`spark-html-router`](https://www.npmjs.com/package/spark-html-router) | `<template route>` routing — nested routes/layouts, `route.query`, active links. |
109
109
  | [`spark-html-theme`](https://www.npmjs.com/package/spark-html-theme) | Dark/light/system theming in one line — persisted, no flash. |
110
110
  | [`spark-html-head`](https://www.npmjs.com/package/spark-html-head) | Reactive `<title>`/`<meta>` per route + a `head` store. |
@@ -119,7 +119,7 @@ virtual DOM, no build step required. Add only what you use.
119
119
  | [`spark-html-manifest`](https://www.npmjs.com/package/spark-html-manifest) | PWA manifest + icons + head tags (and optional service worker) from one config. |
120
120
  | [`spark-html-offline`](https://www.npmjs.com/package/spark-html-offline) | Offline URL imports — a service worker that caches CDN components. |
121
121
  | [`spark-html-sri`](https://www.npmjs.com/package/spark-html-sri) | Subresource Integrity — hash + verify assets and remote components. |
122
- | [`create-spark-html-app`](https://www.npmjs.com/package/create-spark-html-app) | Scaffold a Vite + spark-html app in one command. |
122
+ | [`create-spark-html-app`](https://www.npmjs.com/package/create-spark-html-app) | Scaffold a spark-html app in one command. |
123
123
  | [`prettier-plugin-spark`](https://www.npmjs.com/package/prettier-plugin-spark) | Prettier for components — formats `<script>`/`<style>`, markup stays byte-for-byte. |
124
124
  | [`spark-html-language-server`](https://www.npmjs.com/package/spark-html-language-server) | LSP — diagnostics, go-to-definition, prop autocomplete, hover docs. |
125
125
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "spark-html-sri",
3
- "version": "0.1.1",
3
+ "version": "0.1.3",
4
4
  "description": "Subresource Integrity for spark-html — auto-hash built assets and components, verify at runtime, and make URL-imported components safe with an origin allow list + trust-on-first-use. Zero dependencies.",
5
5
  "type": "module",
6
6
  "main": "./src/index.js",
@@ -11,9 +11,8 @@
11
11
  "types": "./src/index.d.ts",
12
12
  "default": "./src/index.js"
13
13
  },
14
- "./vite": {
15
- "types": "./src/vite.d.ts",
16
- "default": "./src/vite.js"
14
+ "./bun": {
15
+ "default": "./src/bun.js"
17
16
  }
18
17
  },
19
18
  "scripts": {
@@ -34,7 +33,7 @@
34
33
  "integrity",
35
34
  "security",
36
35
  "tofu",
37
- "vite-plugin"
36
+ "bun"
38
37
  ],
39
38
  "license": "MIT"
40
39
  }
package/src/bun.js ADDED
@@ -0,0 +1,106 @@
1
+ /**
2
+ * spark-html-sri/bun — hash the build, stamp the pages, as a spark-html-bun
3
+ * pipeline step. Put it LAST in the pipeline: it must see the final bytes of
4
+ * every asset and fragment (prerender/image/font all rewrite HTML).
5
+ *
6
+ * 1. hashes every .js/.css in the output and adds `integrity` +
7
+ * `crossorigin="anonymous"` to the <script src> / <link rel=stylesheet>
8
+ * tags that reference them — the browser enforces these natively;
9
+ * 2. hashes every component fragment (.html without <head>) into a
10
+ * manifest and bakes it into the page as
11
+ * <script type="application/json" data-spark-sri>…</script> — the
12
+ * sri() runtime picks it up with zero config.
13
+ *
14
+ * import sri from 'spark-html-sri/bun';
15
+ * export default { pipeline: [prerender(), image(), sri()] };
16
+ */
17
+ import { join, resolve, relative, sep } from 'node:path';
18
+ import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
19
+ import { existsSync } from 'node:fs';
20
+ import { createHash } from 'node:crypto';
21
+
22
+ async function walk(dir) {
23
+ const out = [];
24
+ for (const name of await readdir(dir)) {
25
+ const full = join(dir, name);
26
+ const s = await stat(full);
27
+ if (s.isDirectory()) out.push(...await walk(full));
28
+ else out.push(full);
29
+ }
30
+ return out;
31
+ }
32
+
33
+ function sriHash(buf, algo) {
34
+ return `${algo}-${createHash(algo).update(buf).digest('base64')}`;
35
+ }
36
+
37
+ // Attribute-order-agnostic tag rewriting: find <script src>/<link stylesheet>
38
+ // tags, resolve their URL against the manifest, splice the attributes in.
39
+ function stampTags(html, lookup) {
40
+ return html
41
+ .replace(/<script\b[^>]*\bsrc\s*=\s*"([^"]+)"[^>]*>/g, (tag, src) => stamp(tag, src, lookup))
42
+ .replace(/<link\b[^>]*\brel\s*=\s*"stylesheet"[^>]*>/g, (tag) => {
43
+ const href = (tag.match(/\bhref\s*=\s*"([^"]+)"/) || [])[1];
44
+ return href ? stamp(tag, href, lookup) : tag;
45
+ });
46
+ }
47
+
48
+ function stamp(tag, url, lookup) {
49
+ if (/\bintegrity\s*=/.test(tag)) return tag; // already stamped
50
+ if (/^(https?:)?\/\//.test(url)) return tag; // remote — not ours to hash
51
+ const hash = lookup(url.split(/[?#]/)[0]);
52
+ if (!hash) return tag;
53
+ const attrs = ` integrity="${hash}"` + (/\bcrossorigin\b/.test(tag) ? '' : ' crossorigin="anonymous"');
54
+ return tag.replace(/\s*\/?>$/, (end) => `${attrs}${end}`);
55
+ }
56
+
57
+ /**
58
+ * @param {object} [options]
59
+ * @param {'sha256'|'sha384'|'sha512'} [options.algorithm='sha384']
60
+ */
61
+ export default function sparkSri(options = {}) {
62
+ const algo = options.algorithm || 'sha384';
63
+ return {
64
+ name: 'spark-html-sri',
65
+ async run({ outDir, base = '/' }) {
66
+ const root = resolve(outDir);
67
+ if (!existsSync(root)) return;
68
+ const baseDir = base.endsWith('/') ? base : base + '/';
69
+
70
+ const files = await walk(root);
71
+ const manifest = {}; // served pathname → sri string
72
+ const pages = [];
73
+ for (const file of files) {
74
+ const pathname = baseDir + relative(root, file).split(sep).join('/');
75
+ if (/\.(js|css)$/.test(file)) {
76
+ manifest[pathname] = sriHash(await readFile(file), algo);
77
+ } else if (file.endsWith('.html')) {
78
+ const html = await readFile(file, 'utf8');
79
+ if (/<\/head>/i.test(html)) pages.push({ file, html });
80
+ else manifest[pathname] = sriHash(Buffer.from(html), algo); // component fragment
81
+ }
82
+ }
83
+
84
+ const json = JSON.stringify(manifest);
85
+ let stamped = 0;
86
+ for (const { file, html } of pages) {
87
+ if (html.includes('data-spark-sri')) continue; // idempotent
88
+ // Resolve a tag's URL to a manifest key: absolute pathnames match
89
+ // directly; relative ones resolve against the page's directory.
90
+ const pageDir = baseDir + relative(root, join(file, '..')).split(sep).join('/');
91
+ const lookup = (url) => {
92
+ if (url.startsWith('/')) return manifest[url] || manifest[baseDir.replace(/\/$/, '') + url];
93
+ const dir = pageDir === baseDir + '.' ? baseDir : pageDir + '/';
94
+ return manifest[dir.replace(/\/\.\//, '/') + url.replace(/^\.\//, '')];
95
+ };
96
+ let out = stampTags(html, lookup);
97
+ out = out.replace(/<\/head>/i, `<script type="application/json" data-spark-sri>${json}</script>\n</head>`);
98
+ await writeFile(file, out, 'utf8');
99
+ stamped++;
100
+ }
101
+ if (stamped) {
102
+ console.log(`[spark-html-sri] ${Object.keys(manifest).length} asset(s) hashed, ${stamped} page(s) stamped`);
103
+ }
104
+ },
105
+ };
106
+ }
package/src/index.d.ts CHANGED
@@ -16,7 +16,7 @@ export function verify(
16
16
  ): Promise<boolean>;
17
17
 
18
18
  export interface SriOptions {
19
- /** path → SRI string. Default: the manifest the vite plugin baked into the page. */
19
+ /** path → SRI string. Default: the manifest the build step baked into the page. */
20
20
  manifest?: Record<string, string>;
21
21
  /** Allowed remote hosts for URL imports (subdomains included). */
22
22
  allow?: string[];
package/src/index.js CHANGED
@@ -4,8 +4,8 @@
4
4
  * Two halves, one mental model (`<script integrity>` — familiar to every
5
5
  * web developer):
6
6
  *
7
- * **Local files** — fully automatic, zero config. The vite plugin
8
- * (spark-html-sri/vite) hashes every built JS/CSS/component fragment,
7
+ * **Local files** — fully automatic, zero config. The build step
8
+ * (spark-html-sri/bun) hashes every built JS/CSS/component fragment,
9
9
  * injects `integrity` + `crossorigin` into `<script>`/`<link>` tags, and
10
10
  * bakes a manifest into each page. At runtime `sri()` verifies every
11
11
  * component fetch against that manifest before spark-html boots it.
@@ -120,7 +120,7 @@ function blockedResponse(reason) {
120
120
  *
121
121
  * @param {object} [options]
122
122
  * @param {Record<string,string>} [options.manifest] path → SRI string. Default: the
123
- * manifest the vite plugin baked into the page (absent in dev — nothing to verify).
123
+ * manifest the build step baked into the page (absent in dev — nothing to verify).
124
124
  * @param {string[]} [options.allow] Allowed remote hosts for URL imports
125
125
  * (default: jsdelivr/unpkg/esm.sh/raw.githubusercontent — subdomains included).
126
126
  * @param {boolean|'auto'} [options.enforce='auto'] Block on failure. 'auto'
package/src/vite.d.ts DELETED
@@ -1,18 +0,0 @@
1
- import type { SriAlgorithm } from './index.js';
2
-
3
- export interface SriVitePluginOptions {
4
- /** Hash algorithm for assets and the manifest (default 'sha384'). */
5
- algorithm?: SriAlgorithm;
6
- }
7
-
8
- /**
9
- * Vite plugin: hashes every built JS/CSS/component fragment, stamps
10
- * integrity + crossorigin onto script/link tags, and bakes the manifest
11
- * into each page. Put it after prerender() in `plugins`.
12
- */
13
- export default function sparkSri(options?: SriVitePluginOptions): {
14
- name: string;
15
- apply: 'build';
16
- configResolved(config: unknown): void;
17
- closeBundle: { order: 'post'; handler(): Promise<void> };
18
- };
package/src/vite.js DELETED
@@ -1,117 +0,0 @@
1
- /**
2
- * spark-html-sri/vite — hash the build, stamp the pages.
3
- *
4
- * Runs in closeBundle (order post, after spark-prerender has written its
5
- * per-route HTML — put it after prerender() in `plugins`). For every page:
6
- *
7
- * 1. hashes every .js/.css in the output and adds `integrity` +
8
- * `crossorigin="anonymous"` to the <script src> / <link rel=stylesheet>
9
- * tags that reference them — the browser enforces these natively;
10
- * 2. hashes every component fragment (.html without <head>) into a
11
- * manifest and bakes it into the page as
12
- * <script type="application/json" data-spark-sri>…</script> — the
13
- * sri() runtime picks it up with zero config.
14
- *
15
- * import sriPlugin from 'spark-html-sri/vite';
16
- * plugins: [spark(), prerender(), sriPlugin()]
17
- */
18
- import { join, resolve, relative, sep } from 'node:path';
19
- import { readFile, writeFile, readdir, stat } from 'node:fs/promises';
20
- import { existsSync } from 'node:fs';
21
- import { createHash } from 'node:crypto';
22
-
23
- async function walk(dir) {
24
- const out = [];
25
- for (const name of await readdir(dir)) {
26
- const full = join(dir, name);
27
- const s = await stat(full);
28
- if (s.isDirectory()) out.push(...await walk(full));
29
- else out.push(full);
30
- }
31
- return out;
32
- }
33
-
34
- function sriHash(buf, algo) {
35
- return `${algo}-${createHash(algo).update(buf).digest('base64')}`;
36
- }
37
-
38
- // Attribute-order-agnostic tag rewriting: find <script src>/<link stylesheet>
39
- // tags, resolve their URL against the manifest, splice the attributes in.
40
- function stampTags(html, lookup) {
41
- return html
42
- .replace(/<script\b[^>]*\bsrc\s*=\s*"([^"]+)"[^>]*>/g, (tag, src) => stamp(tag, src, lookup))
43
- .replace(/<link\b[^>]*\brel\s*=\s*"stylesheet"[^>]*>/g, (tag) => {
44
- const href = (tag.match(/\bhref\s*=\s*"([^"]+)"/) || [])[1];
45
- return href ? stamp(tag, href, lookup) : tag;
46
- });
47
- }
48
-
49
- function stamp(tag, url, lookup) {
50
- if (/\bintegrity\s*=/.test(tag)) return tag; // already stamped
51
- if (/^(https?:)?\/\//.test(url)) return tag; // remote — not ours to hash
52
- const hash = lookup(url.split(/[?#]/)[0]);
53
- if (!hash) return tag;
54
- const attrs = ` integrity="${hash}"` + (/\bcrossorigin\b/.test(tag) ? '' : ' crossorigin="anonymous"');
55
- return tag.replace(/\s*\/?>$/, (end) => `${attrs}${end}`);
56
- }
57
-
58
- /**
59
- * @param {object} [options]
60
- * @param {'sha256'|'sha384'|'sha512'} [options.algorithm='sha384']
61
- */
62
- export default function sparkSri(options = {}) {
63
- const algo = options.algorithm || 'sha384';
64
- let outDir = 'dist';
65
- let base = '/';
66
- return {
67
- name: 'spark-html-sri',
68
- apply: 'build',
69
- configResolved(viteConfig) {
70
- if (viteConfig && viteConfig.build && viteConfig.build.outDir) outDir = viteConfig.build.outDir;
71
- if (viteConfig && viteConfig.base) base = viteConfig.base;
72
- },
73
- closeBundle: {
74
- order: 'post',
75
- async handler() {
76
- const root = resolve(outDir);
77
- if (!existsSync(root)) return;
78
- const baseDir = base.endsWith('/') ? base : base + '/';
79
-
80
- const files = await walk(root);
81
- const manifest = {}; // served pathname → sri string
82
- const pages = [];
83
- for (const file of files) {
84
- const pathname = baseDir + relative(root, file).split(sep).join('/');
85
- if (/\.(js|css)$/.test(file)) {
86
- manifest[pathname] = sriHash(await readFile(file), algo);
87
- } else if (file.endsWith('.html')) {
88
- const html = await readFile(file, 'utf8');
89
- if (/<\/head>/i.test(html)) pages.push({ file, html });
90
- else manifest[pathname] = sriHash(Buffer.from(html), algo); // component fragment
91
- }
92
- }
93
-
94
- const json = JSON.stringify(manifest);
95
- let stamped = 0;
96
- for (const { file, html } of pages) {
97
- if (html.includes('data-spark-sri')) continue; // idempotent
98
- // Resolve a tag's URL to a manifest key: absolute pathnames match
99
- // directly; relative ones resolve against the page's directory.
100
- const pageDir = baseDir + relative(root, join(file, '..')).split(sep).join('/');
101
- const lookup = (url) => {
102
- if (url.startsWith('/')) return manifest[url] || manifest[baseDir.replace(/\/$/, '') + url];
103
- const dir = pageDir === baseDir + '.' ? baseDir : pageDir + '/';
104
- return manifest[dir.replace(/\/\.\//, '/') + url.replace(/^\.\//, '')];
105
- };
106
- let out = stampTags(html, lookup);
107
- out = out.replace(/<\/head>/i, `<script type="application/json" data-spark-sri>${json}</script>\n</head>`);
108
- await writeFile(file, out, 'utf8');
109
- stamped++;
110
- }
111
- if (stamped) {
112
- console.log(`[spark-html-sri] ${Object.keys(manifest).length} asset(s) hashed, ${stamped} page(s) stamped`);
113
- }
114
- },
115
- },
116
- };
117
- }