Implement SRI support in importmap-rails

[rafaelfranca]

This pull request introduces Subresource Integrity (SRI) support to the importmap-rails gem, enhancing security by ensuring that JavaScript files loaded from CDNs have not been tampered with.

Default behavior with integrity

When you pin a package, integrity hashes are automatically included:

./bin/importmap pin lodash
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js
  Using integrity: sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF

This generates a pin in your config/importmap.rb with the integrity hash:

pin "lodash", integrity: "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF" # @4.17.21

Opting out of integrity

If you need to disable integrity checking (not recommended for security reasons), you can use the --no-integrity flag:

./bin/importmap pin lodash --no-integrity
Pinning "lodash" to vendor/javascript/lodash.js via download from https://ga.jspm.io/npm:[email protected]/lodash.js

This generates a pin without integrity:

pin "lodash" # @4.17.21

Adding integrity to existing pins

If you have existing pins without integrity hashes, you can add them using the integrity command:

# Add integrity to specific packages
./bin/importmap integrity lodash react

# Add integrity to all pinned packages
./bin/importmap integrity

# Update your importmap.rb file with integrity hashes
./bin/importmap integrity --update

Automatic integrity for local assets

For local assets served by the Rails asset pipeline (like those created with pin or pin_all_from), you can use integrity: true to automatically calculate integrity hashes from the compiled assets:

# config/importmap.rb

# Automatically calculate integrity from asset pipeline
pin "application", integrity: true
pin "admin", to: "admin.js", integrity: true

# Works with pin_all_from too
pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
pin_all_from "app/javascript/lib", under: "lib", integrity: true

# Mixed usage
pin "local_module", integrity: true              # Auto-calculated
pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated
pin "no_integrity_package"                       # No integrity (default)

This is particularly useful for:

• Local JavaScript files managed by your Rails asset pipeline
• Bulk operations with pin_all_from where calculating hashes manually would be tedious
• Development workflow where asset contents change frequently

The integrity: true option:

• Uses the Rails asset pipeline's built-in integrity calculation
• Works with both Sprockets and Propshaft
• Automatically updates when assets are recompiled
• Gracefully handles missing assets (returns nil for non-existent files)

Example output with integrity: true:

{
  "imports": {
    "application": "/assets/application-abc123.js",
    "controllers/hello_controller": "/assets/controllers/hello_controller-def456.js"
  },
  "integrity": {
    "/assets/application-abc123.js": "sha256-xyz789...",
    "/assets/controllers/hello_controller-def456.js": "sha256-uvw012..."
  }
}

How integrity works

The integrity hashes are automatically included in your import map and module preload tags:

Import map JSON:

{
  "imports": {
    "lodash": "https://ga.jspm.io/npm:[email protected]/lodash.js"
  },
  "integrity": {
    "https://ga.jspm.io/npm:[email protected]/lodash.js": "sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF"
  }
}

Module preload tags:

<link rel="modulepreload" href="https://ga.jspm.io/npm:[email protected]/lodash.js" integrity="sha384-PkIkha4kVPRlGtFantHjuv+Y9mRefUHpLFQbgOYUjzy247kvi16kLR7wWnsAmqZF">

Modern browsers will automatically validate these integrity hashes when loading the JavaScript modules, ensuring the files haven't been modified.

Closes #297.

[rafaelfranca]

This method can probably be deprecated now since the library isn't using anymore