bigskysoftware
Several extensions list the wrong SRI hash in website instructions
The docs at https://htmx.org/extensions/ws/ specify the following script slug for the websocket extension:
<script src="https://unpkg.com/[email protected]" integrity="sha384-vuKxTKv5TX/b3lLzDKP2U363sOAoRo5wSvzzc3LJsbaQRSBSS+3rKKHcOx5J8doU" crossorigin="anonymous"></script>
This does not match the hash being served by unpkg: https://unpkg.com/[email protected]/ws.js?meta reports:
{
"path": "/ws.js",
"type": "file",
"contentType": "application/javascript",
"integrity": "sha384-932iIqjARv+Gy0+r6RTGrfCkCKS5MsF539Iqf6Vt8L4YmbnnWI2DSFoMD90bvXd0",
"lastModified": "Sat, 26 Oct 1985 08:15:00 GMT",
"size": 14714
}
Scanning through prior 2.0 releases, the hash on the site matches none of the files being served:
2.0.0 VqNJ+TGe5p19ICrkQPMUpIPdf04GGX50ZlfXfr5SRv71mQML5JxOdh/Iuj4Ap1kJ
2.0.1 jSpIszfCfEqOqGTgN8CQ71jV7AcXR8in7HHlH+WCBzT575I1Va6Hywg47/R6S8UT
2.0.2 932iIqjARv+Gy0+r6RTGrfCkCKS5MsF539Iqf6Vt8L4YmbnnWI2DSFoMD90bvXd0
2.0.3 UQRM5X6/SG8fQYKt4K+MgCmlaxETMLkkEH8yiky5TdOZzNY0EQ8RjP/S0kMU+w6r
Similarly, ws-ext-sse's SRI hash does not seem to match the one on the website: The site lists Y4gc0CK6Kg+hmulDc6rZPJu0tqvk7EWlih0Oh+2OkAi1ZDlCbBDCQEE2uVk472Ky, but unpkg serves a file with hash fw+eTlCc7suMV/1w/7fr2/PmwElUIt5i82bi+qTiLXvjRXZ2/FkiTNA/w0MhXnGI.
cc @marisst since I think the SRI fetches were added to the doc by https://github.com/bigskysoftware/htmx-extensions/pull/123 and https://github.com/bigskysoftware/htmx/pull/3127 . I was attempting to use the listed hashes to verify the download from unpkg prior to embedding the files into a project, which is how I discovered the mismatch.
It seems unpkg is serving the correct files: rebuilding from git source, the hashes I get for ws 2.0.2 and 2.0.3 are a match for what unpkg is serving.