Skip to content

Implement SRI support in impotmaps-rails #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Implement SRI support in impotmaps-rails #304

wants to merge 6 commits into from

Conversation

rafaelfranca
Copy link
Member

This pull request introduces Subresource Integrity (SRI) support to the importmap-rails gem, enhancing security by ensuring that JavaScript files loaded from CDNs have not been tampered with.

Default behavior with integrity

When you pin a package, integrity hashes are automatically included:

./bin/importmap pin lodash
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js
  Using integrity: sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF

This generates a pin in your config/importmap.rb with the integrity hash:

pin "lodash", integrity: "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF" # @4.17.21

Opting out of integrity

If you need to disable integrity checking (not recommended for security reasons), you can use the --no-integrity flag:

./bin/importmap pin lodash --no-integrity
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js

This generates a pin without integrity:

pin "lodash" # @4.17.21

Adding integrity to existing pins

If you have existing pins without integrity hashes, you can add them using the integrity command:

# Add integrity to specific packages
./bin/importmap integrity lodash react

# Add integrity to all pinned packages
./bin/importmap integrity

# Update your importmap.rb file with integrity hashes
./bin/importmap integrity --update

How integrity works

The integrity hashes are automatically included in your import map and module preload tags:

Import map JSON:

{
  "imports": {
    "lodash": "https://ga.jspm.io/npm:[email protected]/lodash.js"
  },
  "integrity": {
    "https://ga.jspm.io/npm:[email protected]/lodash.js": "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF"
  }
}

Module preload tags:

<link rel="modulepreload" href="https://ga.jspm.io/npm:[email protected]/lodash.js" integrity="sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF">

Modern browsers will automatically validate these integrity hashes when loading the JavaScript modules, ensuring the files haven't been modified.

Closes #297.

rafaelfranca
rafaelfranca commented Jul 9, 2025
View reviewed changes
lib/importmap/map.rb
@@ -41,8 +41,60 @@ def pin_all_from(dir, under: nil, to: nil, preload: true)
# resolve for different asset hosts, you can pass in a custom `cache_key` to vary the cache used by this method for
# the different cases.
def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :preloaded_module_paths)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method can probably be deprecated now since the library isn't using anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SRI (Subresource Integrity) Support
1 participant
@rafaelfranca