SRI hash for moment.js/2.29.4 does not match

[veselov]

https://cdnjs.com/libraries/moment.js/2.29.4
The first entry is:

<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.29.4/moment.min.js"
 integrity="sha512-CryKbMe7sjSCDPl18jtJI5DR5jtkUWxPXWaLCst6QjH8wxDexfRJic2WRmRXmstr2Y8SxDDWuBO6CQC6IE4KTA==" 
crossorigin="anonymous" referrerpolicy="no-referrer"></script>

But SHA512 of the download file is different:

$ curl -o /tmp/x https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.29.4/moment.min.js
$ openssl sha512 /tmp/x | awk '{print $2}' | xxd -r -p | base64
+H4iLjY3JsKiF2V6N366in5IQHj2uEsGV7Pp/GRcm0fn76aPAk5V8xB6n8fQhhSonTqTXs/klFz4
D0GIn6Br9g==

Using the tag in the browser gives the same error:

Failed to find a valid digest in the 'integrity' attribute for resource 'https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.29.4/moment.min.js' with computed SHA-512 integrity '+H4iLjY3JsKiF2V6N366in5IQHj2uEsGV7Pp/GRcm0fn76aPAk5V8xB6n8fQhhSonTqTXs/klFz4D0GIn6Br9g=='. The resource has been blocked.

Hash for full (not minified) version is OK.

[MattIPv4]

👋 Would you mind posting this under #14210, rather than creating this new issue?

[veselov]

@MattIPv4 There is already a comment in #14214 about v2.29.4, and a comment in #14210 about this.
I specifically wanted a new clean issue on this since the version mentioned in the initial report of #14214 is different (v2.29.2), and #14210 is generally too broad. Somebody's bound to report this if there are no issues with clearly matching subject anyway.
But feel free to close this if you believe it to be excessive.

[MattIPv4]

👍 I'm going to close this out as we're using #14210 to track all SRI mismatches -- the issue is on Cloudflare's list of things that need attention, though I'm aware there hasn't been much progress there. I have a meeting with Cloudflare on Monday where I hope to raise this.