{"id":20840,"library":"webpack-subresource-integrity","title":"webpack-subresource-integrity","description":"Webpack plugin for enabling Subresource Integrity (SRI) to protect against compromised CDN resources. Current stable version is 5.1.0, with release candidate 5.2.0-rc.1 available. The plugin supports Webpack 5.12+ and html-webpack-plugin 5+, and now provides an ES module distribution alongside CommonJS. Key differentiators include integration with html-webpack-plugin for automatic integrity injection, lazy hash loading option for larger projects, and TypeScript type definitions.","status":"active","version":"5.2.0-rc.1","language":"javascript","source_language":"en","source_url":"https://github.com/waysact/webpack-subresource-integrity","tags":["javascript","webpack","plugin","sri","subresource","integrity","html-webpack-plugin","typescript"],"install":[{"cmd":"npm install webpack-subresource-integrity","lang":"bash","label":"npm"},{"cmd":"yarn add webpack-subresource-integrity","lang":"bash","label":"yarn"},{"cmd":"pnpm add webpack-subresource-integrity","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Peer dependency for automatic injection of integrity attributes into HTML tags","package":"html-webpack-plugin","optional":false},{"reason":"Peer dependency required for plugin integration","package":"webpack","optional":false}],"imports":[{"note":"Since v5, only named export is available; default export removed. For CommonJS, use const { SubresourceIntegrityPlugin } = require('webpack-subresource-integrity').","wrong":"const SubresourceIntegrityPlugin = require('webpack-subresource-integrity').default","symbol":"SubresourceIntegrityPlugin","correct":"import { SubresourceIntegrityPlugin } from 'webpack-subresource-integrity'"},{"note":"CommonJS: destructure the named export; direct require returns an object with SubresourceIntegrityPlugin property.","wrong":"const SubresourceIntegrityPlugin = require('webpack-subresource-integrity')","symbol":"SubresourceIntegrityPlugin","correct":"const { SubresourceIntegrityPlugin } = require('webpack-subresource-integrity')"},{"note":"enabled option defaults to 'auto' since v5; setting it to true can cause issues in development mode.","wrong":"new SubresourceIntegrityPlugin({ hashFuncNames: ['sha512'], enabled: true })","symbol":"SubresourceIntegrityPlugin","correct":"new SubresourceIntegrityPlugin({ hashFuncNames: ['sha384'], enabled: 'auto' })"}],"quickstart":{"code":"const { SubresourceIntegrityPlugin } = require('webpack-subresource-integrity');\nconst HtmlWebpackPlugin = require('html-webpack-plugin');\n\nmodule.exports = {\n  entry: './src/index.js',\n  output: {\n    path: path.resolve(__dirname, 'dist'),\n    filename: '[name].[contenthash].js',\n    crossOriginLoading: 'anonymous',\n  },\n  plugins: [\n    new HtmlWebpackPlugin(),\n    new SubresourceIntegrityPlugin({\n      hashFuncNames: ['sha384'],\n      enabled: 'auto',\n    }),\n  ],\n};","lang":"javascript","description":"Minimal webpack config to enable SRI for all scripts and styles, with cross-origin loading and content hashing."},"warnings":[{"fix":"Change import from default to named import: import { SubresourceIntegrityPlugin } from 'webpack-subresource-integrity'.","message":"v5 drops default export; use named export SubresourceIntegrityPlugin instead.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Use enabled: 'auto' (default) or omit the option to avoid issues in development.","message":"The 'enabled' option now defaults to 'auto', which disables the plugin in development mode. If you explicitly set enabled: true, it will run in dev mode and may cause unexpected behavior.","severity":"gotcha","affected_versions":">=5.0.0"},{"fix":"Upgrade to v5 and follow migration guide in MIGRATE-v1-to-v5.md.","message":"Previous versions (v1) used a default export and supported Webpack 4. Migration to v5 requires updating Webpack and html-webpack-plugin peer dependencies.","severity":"deprecated","affected_versions":">=1.0.0 <5.0.0"},{"fix":"Ensure all assets are processed by webpack or handle errors appropriately.","message":"If an asset's integrity cannot be determined (e.g., external resources not processed by webpack), the plugin emits an error since v5. Previously it only warned.","severity":"gotcha","affected_versions":">=5.0.0"},{"fix":"Upgrade to supported versions.","message":"Plugin now requires Node >=12 and Webpack >=5.12.0.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Test with your project; if hash duplication is not acceptable, use default hash loading.","message":"Lazy hash loading (hashLoading: 'lazy') can cause hash duplication. Ensure it's suitable for your project's chunk structure.","severity":"gotcha","affected_versions":">=5.1.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Replace 'const SubresourceIntegrityPlugin = require(\"webpack-subresource-integrity\")' with 'const { SubresourceIntegrityPlugin } = require(\"webpack-subresource-integrity\")'.","cause":"Using default import instead of named import in v5.","error":"TypeError: SubresourceIntegrityPlugin is not a constructor"},{"fix":"Install html-webpack-plugin >=5.0.0-beta.1 and add it to webpack plugins.","cause":"Missing or incompatible version of html-webpack-plugin.","error":"Error: No html-webpack-plugin, can't inject integrity attributes."},{"fix":"Ensure all assets are processed by webpack loaders, or exclude non-SRI assets using plugin options.","cause":"The asset is not a JavaScript or CSS file, or it's an external resource not processed by webpack.","error":"Error: Asset '...' has no integrity hash."},{"fix":"Upgrade to Webpack >=5.12.0 and html-webpack-plugin >=5.0.0-beta.1.","cause":"Using plugin with Webpack 4 or older version of Webpack 5.","error":"Webpack build fails with 'Cannot read property 'hooks' of undefined'"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}