vite-plugin-manifest-sri

Subresource Integrity for Vite.js Manifests

Why? 🤔

Vite does not provide support for subresource integrity.

Both vite-plugin-sri and rollup-plugin-sri are good options to automatically add an integrity hash to script and link tags. However, these rely on transforming an HTML file, which is typically not the case when using a backend integration such as Vite Ruby.

This plugin extends manifest.json to include an integrity field which can be used when rendering tags.

Installation 💿

Install the package as a development dependency:

npm i -D vite-plugin-manifest-sri # pnpm i -D vite-plugin-manifest-sri

Usage 🚀

Add it to your plugins in vite.config.ts:

import { defineConfig } from 'vite'
import manifestSRI from 'vite-plugin-manifest-sri'

export default defineConfig({
  plugins: [
    manifestSRI(),
  ],
})

Note that the build.manifest option must be enabled in order to generate a manifest.json file (Vite Ruby enables it by default).

With Vite Ruby 💎

Experimental support is available, you can try it now by explicitly adding 4.0.0.alpha1 to your Gemfile:

gem 'vite_rails', '~> 4.0.0.alpha1'

Configuration ⚙️

The following options can be provided:

• algorithms

  Hashing algorithms to use when calculate the integrity hash for each asset.

  Default: ['sha384']

  manifestSRI({ algorithms: ['sha384', 'sha512'] }),

Acknowledgements

The following plugins might be useful for Vite apps based around an index.html file:

• rollup-plugin-sri
• vite-plugin-sri

License

This library is available as open source under the terms of the MIT License.