webpack-subresource-integrity overwrites integrity values on explicitly set externals

[r0bs]

I'm using webpack-subresource-integrity to set integrity hashs on local resources. This works fine. At the same time I'm defining externals (including integrity hash) manually with html-webpack-externals-plugin like this:

    new HtmlWebpackExternalsPlugin({
      externals: [
        {
          module: 'jquery',
          entry: {
            path: 'https://code.jquery.com/jquery-3.2.1.js',
            attributes: {
              integrity: 'sha256-DZAnKJ/6XZ9si04Hgrsxu/8s717jcIzLy3oi35EouyE=',
              crossorigin: 'anonymous',
            },
          },
          global: 'jQuery',
        },
      ],
    })

However, the integrity attribute get's overwritten by webpack-subresource-integrity with null, resulitng in this:

<script type="text/javascript" src="https://code.jquery.com/jquery-3.2.1.js" integrity="null" crossorigin="anonymous"></script>

Is there anyway to prevent this unwanted behavior?

[jscheid]

Hi, thanks for your bug report.

I've added a simple test case (see above) and it seems to work OK. Would you mind putting together one that fails?

See https://github.com/waysact/webpack-subresource-integrity/blob/master/CONTRIBUTING.md

Let me know if you have any trouble writing the test case.

You can also point me to a sample repository that demonstrates the issue.

[r0bs]

Hi @jscheid! Thanks for your super fast response! Created a sample for demo here: https://github.com/r0bs/sri-null

[jscheid]

@r0bs no problem, thanks for the test repo. The test case had a bug which I didn't notice because the issue only manifests with certain dependency versions. I can reproduce now, aiming to roll a release with the fix tomorrow.

[jscheid]

Fix released in 1.3.1.

[r0bs]

Hey @jscheid ! Thanks for the fix, solves the issue for me.

Now explicitly set integrity attributes on external assets don't get overwritten. However, if one decides to purposefully omit the integrity attribute on an external asset, integrity="null" will still be added to the script tag, rendering the script useless. Is there a rationale behind this?

[jscheid]

Yeah I realized this too. This can be improved still.

(Adding an external asset without integrity while using this plugin is pointless: this plugin has no way of knowing which integrity value to use, and wanting to add one without integrity is Achilles' heel. But, we should output a warning (or perhaps even trigger an error with a good message) instead of letting the page crash.)