{"id":22845,"library":"vite-plugin-sri-gen","title":"vite-plugin-sri-gen","description":"A Vite plugin that auto-generates Subresource Integrity (SRI) hashes for built assets and injects integrity/crossorigin attributes into HTML output. Current stable version 1.4.1, requires Node ≥18 and Vite ≥4. Released monthly. Key differentiators: supports multiple hash algorithms (sha256, sha384, sha512), optional lazy-loaded chunk integrity via runtime patch, Vite manifest augmentation for SSR/backend-owned HTML, configurable include/exclude patterns, and in-memory HTTP cache. ESM-only, builds on parse5 for HTML parsing. Does not work for most SSR frameworks unless pre-rendering HTML or reading the augmented manifest.","status":"active","version":"1.4.1","language":"javascript","source_language":"en","source_url":"https://github.com/rbonestell/vite-plugin-sri-gen","tags":["javascript","vite","subresource","integrity","sri","content","security","policy","csp","typescript"],"install":[{"cmd":"npm install vite-plugin-sri-gen","lang":"bash","label":"npm"},{"cmd":"yarn add vite-plugin-sri-gen","lang":"bash","label":"yarn"},{"cmd":"pnpm add vite-plugin-sri-gen","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"peer dependency required for plugin integration","package":"vite","optional":false},{"reason":"used for parsing and modifying HTML during build","package":"parse5","optional":false}],"imports":[{"note":"ESM-only package; require() will fail. Named export only.","wrong":"const sriGen = require('vite-plugin-sri-gen'); const { sriGen } = require('vite-plugin-sri-gen')","symbol":"sriGen","correct":"import { sriGen } from 'vite-plugin-sri-gen'"},{"note":"Default export is also available; both named and default work equivalently.","wrong":"import { default as sriGen } from 'vite-plugin-sri-gen'","symbol":"default","correct":"import sriGen from 'vite-plugin-sri-gen'"},{"note":"TypeScript users should import the type for config objects.","wrong":"import { SRIOptions } from 'vite-plugin-sri-gen' (if types are used at runtime)","symbol":"SRIOptions","correct":"import type { SRIOptions } from 'vite-plugin-sri-gen'"}],"quickstart":{"code":"// vite.config.ts\nimport { defineConfig } from 'vite';\nimport { sriGen } from 'vite-plugin-sri-gen';\n\nexport default defineConfig({\n  plugins: [\n    sriGen({\n      algorithms: ['sha384', 'sha512'],\n      include: [/^\\/assets\\//],\n      exclude: ['**/*.map'],\n      verboseLogging: false,\n      skipResources: [],\n      enableManifest: true,\n      handleSSR: false,\n      runtimeInjection: false,\n    }),\n  ],\n});","lang":"typescript","description":"Shows basic setup of vite-plugin-sri-gen with custom algorithms, include/exclude patterns, and manifest enabled."},"warnings":[{"fix":"No action needed unless you extended the plugin; the public API is unchanged.","message":"Version 1.2.0 replaced cheerio with parse5. This may break custom HTML transformations if you relied on cheerio-specific behavior.","severity":"breaking","affected_versions":">=1.2.0 <1.3.0"},{"fix":"Set verboseLogging: true in config if you rely on old logging output.","message":"Version 1.3.0 reduced logging verbosity by default; verboseLogging must be explicitly set to true for detailed logs.","severity":"breaking","affected_versions":">=1.3.0"},{"fix":"Use dynamic import() or switch to ESM in your project.","message":"Using require() to import this package is unsupported because the package is ESM-only.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"Pre-render your SSR application (e.g., using vite-plugin-ssr pre-rendering) or use the manifest augmentation (enableManifest: true) to attach SRI server-side.","message":"This plugin does not inject SRI into HTML for most SSR frameworks (e.g., SvelteKit, Nuxt) because HTML is not generated at build time. It only works with pre-rendered SSR output.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Update to v1.3.2 or later; for older versions, ensure resources use relative paths.","message":"When using absolute URLs in index.html (e.g., CDN scripts), the plugin may fail to match resources. Fixed in v1.3.2 for main script tags, but other absolute URLs might still be skipped.","severity":"gotcha","affected_versions":">=1.0.0 <1.3.2"},{"fix":"Add build: { manifest: true } to your Vite config.","message":"If you enable enableManifest but don't also set build.manifest: true in your Vite config, the manifest won't be generated and the plugin will have no effect.","severity":"gotcha","affected_versions":">=1.4.0"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Change to ESM: set \"type\": \"module\" in package.json or use dynamic import().","cause":"The package is ESM-only and cannot be require()'d.","error":"ERR_REQUIRE_ESM: require() of ES Module ... from ... not supported"},{"fix":"Use import { sriGen } from 'vite-plugin-sri-gen' or default import sriGen from 'vite-plugin-sri-gen'.","cause":"Default import was used when only named export exists (or vice versa).","error":"TypeError: sriGen is not a function"},{"fix":"Ensure your build produces HTML files, or enable enableManifest and set build.manifest: true to use the manifest approach.","cause":"The plugin expects HTML files in the build output, but none were generated (common in SSR without pre-rendering).","error":"Error: No HTML files found in output directory. Skipping SRI injection."},{"fix":"Ensure that no other plugins modify the resource content after sriGen runs; reorder plugins or disable conflicting transforms.","cause":"The resource content changed after the hash was computed (e.g., runtime injection after build).","error":"Warning: [vite-plugin-sri-gen] Integrity hash mismatch for ... expected ... got ..."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}