Integrity mismatch errors after upgrading to v2.2.1 - Breaking change in patch release #311
Description
Description
After upgrading from importmap-rails 2.2.0 to 2.2.1, our production application started throwing integrity mismatch errors, preventing JavaScript assets from loading:
Failed to find a valid digest in the 'integrity' attribute for resource 'https://betalist.com/assets/controllers/index-723da7da721149a6dfbceb1bdd41f6ab8d9cdebd8e0ede20e01a36d836d558ab.js' with computed SHA-256 integrity 'wONzvxDOH4ZdadvA8efB5o3YfzE0RF6/gL2RXIouRvY='. The resource has been blocked.
This completely breaks JavaScript functionality in production environments where Content Security Policy (CSP) enforces Subresource Integrity (SRI) checks.
Impact
This patch release (2.2.0 → 2.2.1) broke our production application. All JavaScript assets are failing to load due to integrity mismatches, resulting in a completely broken user experience.
This is particularly critical because CSP-related issues often go undetected in automated test suites. Most CI/CD pipelines don't run tests with production-level CSP headers enabled, meaning integrity verification failures can pass all tests and only manifest when deployed to production. In our case, this patch update sailed through our entire CI pipeline without any warnings, and the JavaScript loading failures were only discovered after the changes went live to production users.
Our Situation
After upgrading to 2.2.1, our production application immediately started failing with the integrity mismatch errors shown above. We're still investigating the exact root cause of why the integrity hashes are mismatching, but the correlation is clear: the issue appeared immediately after deploying the 2.2.1 upgrade.
We use Kamal for deployment, which automatically precompiles all assets as part of the deployment process, so we have a fairly standard Rails deployment setup.
Expected Behavior
Patch releases (x.x.1) should only include backwards-compatible bug fixes that don't break existing production deployments.
Actual Behavior
The 2.2.1 patch release introduced some change that causes integrity verification to fail in our production environment, completely breaking JavaScript functionality.
Environment
- Rails version: 7.1
- importmap-rails version: 2.2.1 (upgraded from 2.2.0)
- Ruby version: 3.3.6
- Browser: All browsers that enforce SRI
Suggestion
Given that this patch release can break production applications, it would be helpful to:
- Investigate what changed between 2.2.0 and 2.2.1 that could affect integrity hash generation or validation
- Consider whether such changes should be released as minor or major versions in the future
- Add any necessary migration steps or warnings to the changelog
Note
We're still investigating the exact technical details of why this mismatch is occurring in our specific setup. However, we wanted to report this quickly since it's actively affecting our production environment and may impact other users who upgrade to 2.2.1.