highlight.js icon indicating copy to clipboard operation
highlight.js copied to clipboard

Published 20 hours ago verified publisher icon highlightjs

Tag built version with SRI hash

Open fulldecent opened this issue 4 years ago • 8 comments

The release does not include a JavaScript version.

Also, the recommended install instructions is to load from CDN using jsDelivr or other without SRI.

Best practice is to use SRI which prevents supply-chain attacks. This would allow to use SRI when including the file from CDN.

fulldecent avatar Aug 17 '21 15:08 fulldecent

The release does not include a JavaScript version.

This is intentional, if you want web ready assets use the cdn-assets package instead.

Also, the recommended install instructions is to load from CDN using jsDelivr or other without SRI.

We do mention SRI in the docs for anyone who wishes to use it.

  • https://github.com/highlightjs/highlight.js/blob/main/README.md#fetch-via-cdn
  • https://github.com/highlightjs/cdn-release/blob/main/DIGESTS.md

joshgoebel avatar Aug 17 '21 19:08 joshgoebel

Aha, cool, thank you for the reference.

Maybe consider to use those links at https://highlightjs.org/usage/ under the example code in "Fetch via CDN" section

fulldecent avatar Aug 17 '21 20:08 fulldecent

It's mentioned there. If you'd like to suggest how to make it pop a bit more a PR would be welcome.

joshgoebel avatar Aug 17 '21 20:08 joshgoebel

I just wanted to include the SRI in the example. Is that okay?

fulldecent avatar Aug 18 '21 16:08 fulldecent

Well, it's problematic because I don't want to deal with getting the exact correct HASH in the README every time we bump the version... I've already taken special care that the hashes are generated when the CDN resources are built by our release scripts - they are only guaranteed to be in sync with that exact build.

If we changed anything perhaps we could add a small subsection that has a very short introduction to SRI, showing an example (sans hash or HASHGOESHERE) then links out to the CDN documentation on SRI. IE, the examples would NOT be copy and paste ready.

joshgoebel avatar Aug 18 '21 21:08 joshgoebel

Maybe the build script can be responsible for saving the hash here https://github.com/highlightjs/highlight.js/actions/runs/1088606445/workflow#L93

Then the README is copy-pastable and keeps people safe by default.

There are probably other projects using this approach too, or we can be a leader here and other people will copy this build script approach.

fulldecent avatar Aug 19 '21 18:08 fulldecent

Our release process is currently dependent on tagging releases in git. I worry about a GHA modifying the very tag that it's releasing and then retagging it over and over. I can imagine all sorts of things going wrong with that. If someone else wanted to put in the work on this and it was simple enough to do I'm not opposed.

If you wanted to rename this issue (or open a new issue) for just that I will tag it as help welcome and leave it around for future contributors...

joshgoebel avatar Aug 28 '21 15:08 joshgoebel

If we changed anything perhaps we could add a small subsection that has a very short introduction to SRI, showing an example (sans hash or HASHGOESHERE) then links out to the CDN documentation on SRI. IE, the examples would NOT be copy and paste ready.

I'm definitely open to this and a PR would be welcome.

joshgoebel avatar Aug 28 '21 15:08 joshgoebel