How to use ssri - 10 common examples

To help you get started, we’ve selected a few ssri examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github Leaflet / Leaflet / build / integrity.js View on Github external
// This script calculates the integrity hashes of the files in dist/ , and
// **overwrites** the values in the documentation.

var ssri = require('ssri');
var fs   = require('fs');
var version = require('../package.json').version;

const integritySrc = ssri.fromData(fs.readFileSync('dist/leaflet-src.js'));
const integrityUglified = ssri.fromData(fs.readFileSync('dist/leaflet.js'));
const integrityCss = ssri.fromData(fs.readFileSync('dist/leaflet.css'));


console.log('Integrity hashes for ', version, ':');
console.log('dist/leaflet-src.js: ', integritySrc.toString());
console.log('dist/leaflet.js:     ', integrityUglified.toString());
console.log('dist/leaflet.css:    ', integrityCss.toString());

var docConfig = fs.readFileSync('docs/_config.yml').toString();

docConfig = docConfig.
	replace(/latest_leaflet_version:.*/,  'latest_leaflet_version: ' + version).
	replace(/integrity_hash_source:.*/,   'integrity_hash_source: "' +   integritySrc.toString() + '"').
	replace(/integrity_hash_uglified:.*/, 'integrity_hash_uglified: "' + integrityUglified.toString() + '"').
	replace(/integrity_hash_css:.*/,      'integrity_hash_css: "' +      integrityCss.toString() + '"');
github Leaflet / Leaflet / build / integrity.js View on Github external
// This script calculates the integrity hashes of the files in dist/ , and
// **overwrites** the values in the documentation.

var ssri = require('ssri');
var fs   = require('fs');
var version = require('../package.json').version;

const integritySrc = ssri.fromData(fs.readFileSync('dist/leaflet-src.js'));
const integrityUglified = ssri.fromData(fs.readFileSync('dist/leaflet.js'));
const integrityCss = ssri.fromData(fs.readFileSync('dist/leaflet.css'));


console.log('Integrity hashes for ', version, ':');
console.log('dist/leaflet-src.js: ', integritySrc.toString());
console.log('dist/leaflet.js:     ', integrityUglified.toString());
console.log('dist/leaflet.css:    ', integrityCss.toString());

var docConfig = fs.readFileSync('docs/_config.yml').toString();

docConfig = docConfig.
	replace(/latest_leaflet_version:.*/,  'latest_leaflet_version: ' + version).
	replace(/integrity_hash_source:.*/,   'integrity_hash_source: "' +   integritySrc.toString() + '"').
	replace(/integrity_hash_uglified:.*/, 'integrity_hash_uglified: "' + integrityUglified.toString() + '"').
	replace(/integrity_hash_css:.*/,      'integrity_hash_css: "' +      integrityCss.toString() + '"');

// console.log('New jekyll docs config: \n', docConfig);
github npm / cacache / lib / verify.js View on Github external
(f) => {
            const split = f.split(/[/\\]/)
            const digest = split.slice(split.length - 3).join('')
            const algo = split[split.length - 4]
            const integrity = ssri.fromHex(digest, algo)
            if (liveContent.has(integrity.toString())) {
              return verifyContent(f, integrity).then((info) => {
                if (!info.valid) {
                  stats.reclaimedCount++
                  stats.badContentCount++
                  stats.reclaimedSize += info.size
                } else {
                  stats.verifiedContent++
                  stats.keptSize += info.size
                }
                return stats
              })
            } else {
              // No entries refer to this content. We can delete.
              stats.reclaimedCount++
              return stat(f).then((s) => {
github npm / pacote / lib / fetcher.js View on Github external
[_istream] (stream) {
    // everyone will need one of these, either for verifying or calculating
    // We always set it, because we have might only have a weak legacy hex
    // sha1 in the packument, and this MAY upgrade it to a stronger algo.
    // If we had an integrity, and it doesn't match, then this does not
    // override that error; the istream will raise the error before it
    // gets to the point of re-setting the integrity.
    const istream = ssri.integrityStream(this.opts)
    istream.on('integrity', i => this.integrity = i)
    return stream.on('error', er => istream.emit('error', er)).pipe(istream)
  }
github imsnif / synp / util / integrity.js View on Github external
async getSha1Integrity (integrity, resolved, manifest) {
    // for yarn.lock backwards compatibility
    if (!/^sha1-/.test(integrity)) {
      const url = normalizeUrl(resolved)
      const file = await rp({
        url,
        encoding: null
      })
      const integrity = ssri.create({algorithms: ['sha1']}).update(file)
      return integrity.digest().toString()
    } else {
      return integrity
    }
  }
}
github npm / cacache / lib / content / read.js View on Github external
const tryFn = () => {
    const sri = ssri.parse(integrity)
    // If `integrity` has multiple entries, pick the first digest
    // with available local data.
    const algo = sri.pickAlgorithm()
    const digests = sri[algo]

    if (digests.length <= 1) {
      const cpath = contentPath(cache, digests[0])
      return fn(cpath, digests[0])
    } else {
      // Can't use race here because a generic error can happen before a ENOENT error, and can happen before a valid result
      return Promise
        .all(digests.map((meta) => {
          return withContentSri(cache, meta, fn)
            .catch((err) => {
              if (err.code === 'ENOENT') {
                return Object.assign(
github davidhealey / waistline / node_modules / npm / lib / install / diff-trees.js View on Github external
function pkgIntegrity (pkg) {
  try {
    // dist is provided by the registry
    var sri = (pkg.dist && pkg.dist.integrity) ||
              // _integrity is provided by pacote
              pkg._integrity ||
              // _shasum is legacy
              (pkg._shasum && ssri.fromHex(pkg._shasum, 'sha1').toString())
    if (!sri) return
    var integrity = ssri.parse(sri)
    if (Object.keys(integrity).length === 0) return
    return integrity
  } catch (ex) {
    return
  }
}
github npm / cacache / lib / content / read.js View on Github external
function withContentSriSync (cache, integrity, fn) {
  const sri = ssri.parse(integrity)
  // If `integrity` has multiple entries, pick the first digest
  // with available local data.
  const algo = sri.pickAlgorithm()
  const digests = sri[algo]
  if (digests.length <= 1) {
    const cpath = contentPath(cache, digests[0])
    return fn(cpath, digests[0])
  } else {
    let lastErr = null
    for (const meta of digests) {
      try {
        return withContentSriSync(cache, meta, fn)
      } catch (err) {
        lastErr = err
      }
    }
github davidhealey / waistline / node_modules / npm / lib / install / diff-trees.js View on Github external
function pkgIntegrity (pkg) {
  try {
    // dist is provided by the registry
    var sri = (pkg.dist && pkg.dist.integrity) ||
              // _integrity is provided by pacote
              pkg._integrity ||
              // _shasum is legacy
              (pkg._shasum && ssri.fromHex(pkg._shasum, 'sha1').toString())
    if (!sri) return
    var integrity = ssri.parse(sri)
    if (Object.keys(integrity).length === 0) return
    return integrity
  } catch (ex) {
    return
  }
}
github npm / pacote / lib / fetchers / registry / manifest.js View on Github external
function annotateManifest (spec, manifest, opts) {
  const shasum = manifest.dist && manifest.dist.shasum
  manifest._integrity = manifest.dist && manifest.dist.integrity
  manifest._shasum = shasum
  if (!manifest._integrity && shasum) {
    // Use legacy dist.shasum field if available.
    manifest._integrity = ssri.fromHex(shasum, 'sha1').toString()
  }
  manifest._resolved = (
    manifest.dist && manifest.dist.tarball
  )
  if (!manifest._resolved) {
    const registry = fetch.pickRegistry(spec, opts)
    const uri = registry.replace(/\/?$/, '/') + spec.escapedName

    const err = new Error(
      `Manifest for ${manifest.name}@${manifest.version} from ${uri} is missing a tarball url (pkg.dist.tarball). Guessing a default.`
    )
    err.code = 'ENOTARBALL'
    err.manifest = manifest
    if (!manifest._warnings) { manifest._warnings = [] }
    manifest._warnings.push(err.message)
    manifest._resolved =

ssri

Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.

ISC
Latest version published 3 months ago

Package Health Score

92 / 100
Full package analysis