Skip to content

feat(bundling): add automatic SRI integrity hash generation #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
harlan-zw merged 2 commits into from
Jan 15, 2026
Merged

feat(bundling): add automatic SRI integrity hash generation #575

harlan-zw merged 2 commits into from
Jan 15, 2026
+381 βˆ’24

Conversation

@harlan-zw
Copy link
Collaborator

@harlan-zw harlan-zw commented Jan 15, 2026
edited
Loading

πŸ”— Linked issue

❓ Type of change

  • πŸ“– Documentation (updates to the documentation or readme)
  • 🐞 Bug fix (a non-breaking change that fixes an issue)
  • πŸ‘Œ Enhancement (improving an existing functionality)
  • ✨ New feature (a non-breaking change that adds functionality)
  • 🧹 Chore (updates to the build process or auxiliary tools and libraries)
  • ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

πŸ“š Description

Adds automatic Subresource Integrity (SRI) hash generation for bundled scripts.

What it does:

  • Calculates SHA hash at build time when scripts are downloaded/bundled
  • Injects integrity attribute into script tags
  • Automatically adds crossorigin="anonymous" (required by browsers for SRI)
  • Caches integrity hash in build metadata for reuse
  • Supports sha256, sha384 (default), and sha512 algorithms

Configuration:

// nuxt.config.ts
export default defineNuxtConfig({
  scripts: {
    assets: {
      integrity: true, // Uses sha384 by default
      // integrity: 'sha256' | 'sha384' | 'sha512'
    }
  }
})

Output:

<script src="/_scripts/abc123.js"
        integrity="sha384-oqVuAfXRKap..."
        crossorigin="anonymous"></script>

Security benefits:

  • Tamper detection: Browser refuses to execute scripts if hash doesn't match
  • CDN compromise protection: Modified scripts won't execute even if CDN is compromised
  • Build-time verification: Hash calculated from actual downloaded content

@harlan-zw @claude
feat(bundling): add automatic SRI integrity hash generation
df7931b 
When enabled, calculates SHA-384 (or configurable sha256/sha512) hash
for bundled scripts and injects `integrity` and `crossorigin="anonymous"`
attributes.

Configuration:
```ts
scripts: {
  assets: {
    integrity: true // or 'sha256' | 'sha384' | 'sha512'
  }
}
```

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Jan 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
scripts-docs Error Error Jan 15, 2026 3:14pm
scripts-playground Ready Ready Preview, Comment Jan 15, 2026 3:14pm

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 15, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/nuxt/scripts/@nuxt/scripts@575

commit: 4b2695d

@harlan-zw harlan-zw merged commit fbdf96b into main Jan 15, 2026
9 of 10 checks passed
@harlan-zw harlan-zw deleted the integrity-checks branch January 15, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@harlan-zw