SRI hashes stop checkout from loading static.js and mixins.js when bundling and minify is enabled

[marshallthornton]

Preconditions and environment

• Magento version 2.4.8-p3
• CSP module enabled

Steps to reproduce

1. Set store to production mode
2. Enable bundling and minify options for JS
3. Deploy the content
4. Add item to cart and browse to checkout
5. Check to see if static.min.js and mixins.min.js were loaded onto the page

Expected result

The JS files are added to the section and loaded on the page

Actual result

Both of these files are missing from the page

Additional information

It looks like the changes to Magento/Csp/Model/Deploy/Package/Processor/PostProcessor/Integrity.php in the recent patch to write all the integrity hashes to the file during deployment plus the new GenerateBundleAssetIntegrity.php are causing this. Mostly due to how it adds the files, it does not see the correct .min.js filename while writing the file and instead puts it as normal .js files.

Previously, the sri-hashes.json file would only contain the requirejs-config.min.js file hashes in it and nothing else. This led to the bundle files getting placed in the same group as everything else so the Config block that adds all the JS files in worked without issue since it could find the bundle file to add them after.

Now, with the hashes, it correctly looks up the bundle file hashes because the plugin does a file search after deployment to get their correct names with .min.js in it and add their hashes causing them to be put in separate asset groups. It then fails to lookup the hashes for static.min.js and mixins.min.js because they are stored as static.js and mixins.js in the integrity map so it ends up trying to insert them into the existing js asset group but, since the bundle files aren't in there, fails to add them since it can't find the key to put them after.

The only way to make it work currently is either disable the minifying or bundling of the JS files.

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @marshallthornton. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[pknap]

We're facing the same (or very similar) issue after upgrading from 2.4.7-p7 to 2.4.7-p8 - after installing the security patch, all mixins stopped being loaded in the checkout.

However, in our case, this happens only in the child theme and only when using the compact strategy for static content deployment, so I'm not entirely sure that this is exactly the same issue, but definitely related to SRI changes introduced in this patch, so thank you @marshallthornton for opening this ticket and confirming I've not gone mad.

There are plenty of commits in the CSP module:

10da29e

with a commit message like:

ACP2E-3854: Bundled/Merged JS not part of SRI Hashes

which are only part of 2.4.9 branch, so I suspect that possibly the SRI logic included in the latest security patch is incomplete/bugged?

[marshallthornton]

Possible, I was able to replicate the issue using the Luma theme in testing with just bundle + minify enabled. When I was using XDebug to step through the static content deployment process, I could see the $file->getDeployedFilePath() returning the non-minified static.js and mixins.js filenames in Csp's integrity post-processor. So this might be more of a bug with the deploy module not giving the correct actual names of the files it created in the post processing logic and instead giving the base original names.

[jtolhurst-relias]

We are also seeing issues similar issues with mixins not loading in Checkout on 2.4.6-p13 with only JS minify enabled. Disabling JS minify resolves the issue, but this is not desired.

[magenizr]

Same here on 2.4.6-p13. For us, the path /var/www/html/codebase/pub/static/frontend/sri-hashes.json isn’t an appropriate location to write such files.

[2025-10-20T06:16:32.327076+00:00] main.CRITICAL: Magento\Framework\Exception\FileSystemException: The path "/var/www/html/codebase/pub/static/frontend/sri-hashes.json" is not writable. in /var/www/html/codebase/vendor/magento/framework/Filesystem/Directory/Write.php:62

Apparently it gets created during the build ( Docker container ) and then becomes non-writable on our read-only filesystem. I’ll create a patch and share shortly.

[engcom-Bravo]

Hi @marshallthornton,

Thanks for your reporting and collaboration.

Internal Jira has been already created https://jira.corp.adobe.com/browse/AC-15866. Hence we will provide further updates here and we are closing this issue.

Thanks.

[bigbangx]

hello @engcom-Bravo

can you share current state of the investigation ? any ETA ?

Do you think it would be safe to revert all module-csp changes with a patch as a temporary workaround to be able to deploy other fixes ASAP ?

[hostep]

@engcom-Bravo: please re-open until this is fully fixed, closing this is not the correct action.

Also you referenced the wrong ticket number, it should be AC-15867, AC-15866 is another bug around merging, not around bundling or minifying (at least that's what Nathan said on Slack).