From 2f9b3bf080bfb7352f5b9dcac6da68e6178ddc9d Mon Sep 17 00:00:00 2001
From: linusdevx <sunilpharswan4198@gmail.com>
Date: Tue, 23 Jun 2026 10:52:21 +0530
Subject: [PATCH] chore(security): add SRI integrity to CDN-loaded scripts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds sha384 integrity hashes and crossorigin=anonymous to the three
CDN-hosted dependencies in index.html:

- pako@2.1.0 (compression for share URLs)
- lucide@1.14.0 (icon library)
- monaco-editor@0.44.0 loader

Mitigates the supply-chain risk of a tampered CDN response — the browser
refuses to execute any script whose content doesn't match the hash.

Resolves the only real CodeQL alert
(js/functionality-from-untrusted-source) on index.html:51-53.

Maintenance note: each version bump now requires regenerating the hash:
  curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A
---
 index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/index.html b/index.html
index b02676f..0c73aac 100644
--- a/index.html
+++ b/index.html
@@ -48,9 +48,9 @@
   <link rel="preconnect" href="https://cdnjs.cloudflare.com" crossorigin>
   <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:ital,wght@0,300;0,400;0,500;0,700;1,400&display=swap" rel="stylesheet">
   <link rel="stylesheet" href="css/style.css">
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/pako/2.1.0/pako.min.js"></script>
-  <script src="https://cdn.jsdelivr.net/npm/lucide@1.14.0/dist/umd/lucide.min.js"></script>
-  <script src="https://cdn.jsdelivr.net/npm/monaco-editor@0.44.0/min/vs/loader.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/pako/2.1.0/pako.min.js" integrity="sha384-rNlaE5fs9dGIjmxWDALQh/RBAaGRYT5ChrzHo6tRfgrZ36iRFAiquP5g41Jsv+0j" crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/lucide@1.14.0/dist/umd/lucide.min.js" integrity="sha384-jB6ZXxyEV94yzTxgLMvrwwNbn/pTTqwrMDI+v8FV5o5FnId/yn3DJwSdrDujU9A7" crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/monaco-editor@0.44.0/min/vs/loader.js" integrity="sha384-xgEbYcV8275+SHiNp4AAv+asZ3e4k7NaDCajMhLZ0SwIeDHKG1huHcccDfFQW5KQ" crossorigin="anonymous"></script>
   <script src="./lib/SaxonJS2.js"></script>
   <script>document.addEventListener('DOMContentLoaded', function() {
     if (typeof lucide !== 'undefined') lucide.createIcons();