{"id":18306,"library":"ember-cli-sri","title":"ember-cli-sri","description":"Ember CLI addon for generating Subresource Integrity (SRI) hashes to secure JavaScript and CSS subresources against CDN poisoning and corruption. Current stable version is 2.1.1. Released as needed, with v2.0.0 introducing a default disabling of paranoiaCheck. Key differentiator: it integrates seamlessly with Ember CLI and fingerprinting, providing fail-safe defaults that avoid breaking the app when misconfigured. Supports CORS and relative/absolute URLs.","status":"active","version":"2.1.1","language":"javascript","source_language":"en","source_url":"https://github.com/jonathanKingston/ember-cli-sri","tags":["javascript","ember-addon","SRI","infosec","security"],"install":[{"cmd":"npm install ember-cli-sri","lang":"bash","label":"npm"},{"cmd":"yarn add ember-cli-sri","lang":"bash","label":"yarn"},{"cmd":"pnpm add ember-cli-sri","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required for transpilation in Ember addon context","package":"ember-cli-babel","optional":false},{"reason":"Core SRI hash generation logic","package":"broccoli-sri-hash","optional":false}],"imports":[{"note":"This is an Ember CLI addon; it is automatically loaded. No manual import needed.","wrong":"import emberCliSri from 'ember-cli-sri';","symbol":"default","correct":"Install with `ember install ember-cli-sri` (no explicit import required)"}],"quickstart":{"code":"// In ember-cli-build.js\nvar app = new EmberApp({\n  SRI: {\n    crossorigin: 'anonymous'\n  },\n  fingerprint: {\n    prepend: 'https://cdn.example.com/'\n  }\n});\n\n// Then run: ember build --environment production\n// Output will include integrity attributes on script/link tags.","lang":"javascript","description":"Configures SRI with CORS for assets served from a CDN. Ensure origin matches prepend or crossorigin is set."},"warnings":[{"fix":"Set SRI.paranoiaCheck: true to restore v1 behavior.","message":"In v2.0.0, the paranoiaCheck option was disabled by default, which may allow missing fingerprints to go unnoticed.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Ensure fingerprint.prepend matches the actual asset prefix.","message":"SRI will not be applied if the asset URL does not start with fingerprint.prepend.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Set SRI.crossorigin to 'anonymous' or 'use-credentials' and ensure CORS headers are present.","message":"Cross-origin resources require SRI.crossorigin to be set, otherwise integrity is skipped.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Use SRI.crossorigin and fingerprint.prepend instead.","message":"The 'origin' option is deprecated in favor of setting SRI.crossorigin and ensuring fingerprint.prepend matches.","severity":"deprecated","affected_versions":">=2.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Ensure fingerprint.prepend matches the asset URL's prefix and set SRI.crossorigin if the asset is on a different origin.","cause":"Either fingerprint.prepend doesn't match the asset URL, or crossorigin is missing for cross-origin resources.","error":"SRI integrity attribute not added to script/link tags"},{"fix":"Set SRI.crossorigin to 'anonymous' or 'use-credentials' in the EmberApp config.","cause":"Using a prepend URL that is not the same origin as the app without setting SRI.crossorigin.","error":"Error: Invalid SRI configuration: crossorigin must be set for external resources"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}