chore(security): add SRI integrity to CDN scripts#70
Merged
Conversation
Adds sha384 integrity hashes and crossorigin=anonymous to the three CDN-hosted dependencies in index.html: - pako@2.1.0 (compression for share URLs) - lucide@1.14.0 (icon library) - monaco-editor@0.44.0 loader Mitigates the supply-chain risk of a tampered CDN response — the browser refuses to execute any script whose content doesn't match the hash. Resolves the only real CodeQL alert (js/functionality-from-untrusted-source) on index.html:51-53. Maintenance note: each version bump now requires regenerating the hash: curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A
linusdevx
added a commit
that referenced
this pull request
Jun 23, 2026
* chore(dependabot): target dev, ignore major bumps After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules * fix(editor): handle --!> when stripping XML comment markers The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing. * chore(ci): harden workflows for OpenSSF Scorecard (#67) - Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload. * chore(deps): bump the actions-minor-and-patch group with 2 updates (#69) Bumps the actions-minor-and-patch group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 4.2.2 to 4.3.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...34e1148) Updates `actions/upload-artifact` from 4.4.3 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b4b15b8...ea165f8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @playwright/test (#64) Bumps the dev-minor-and-patch group with 1 update in the / directory: [@playwright/test](https://github.com/microsoft/playwright). Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(security): add SRI integrity to CDN-loaded scripts (#70) Adds sha384 integrity hashes and crossorigin=anonymous to the three CDN-hosted dependencies in index.html: - pako@2.1.0 (compression for share URLs) - lucide@1.14.0 (icon library) - monaco-editor@0.44.0 loader Mitigates the supply-chain risk of a tampered CDN response — the browser refuses to execute any script whose content doesn't match the hash. Resolves the only real CodeQL alert (js/functionality-from-untrusted-source) on index.html:51-53. Maintenance note: each version bump now requires regenerating the hash: curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
integrity="sha384-..."andcrossorigin="anonymous"to the three CDN scripts inindex.html:pako@2.1.0— compression for share URLslucide@1.14.0— icon librarymonaco-editor@0.44.0loaderWhy
Mitigates a real (if low-probability) supply-chain risk: if a CDN serves a tampered version, the browser refuses to execute it. This is the only real CodeQL alert that survived the recent bulk-dismissal of false positives — the other 70 were CodeQL misreading the no-module-system architecture.
Resolves CodeQL alert
js/functionality-from-untrusted-sourceatindex.html:51-53.Verification
npm run buildconfirmed: SRI attrs preserved through the Vite pipeline (the strip regex matches onlysrc="js/...", not full URLs).Maintenance cost
Each version bump now needs a fresh hash. Dependabot doesn't manage these CDN refs, so bumps are manual anyway — adding one extra step. The trade-off is worth it for a public-facing app.