Skip to content

Update dependencies and calculate correct integrity hashes for local files#347

Open
pivaldi wants to merge 13 commits intonext-theme:mainfrom
pivaldi:main
Open

Update dependencies and calculate correct integrity hashes for local files#347
pivaldi wants to merge 13 commits intonext-theme:mainfrom
pivaldi:main

Conversation

@pivaldi
Copy link

@pivaldi pivaldi commented Feb 12, 2026

See the commit message of the last commit.
The rest are just version updates of the dependencies.

renovate bot and others added 13 commits January 8, 2026 16:30
This patch fixes the integrity hash mismatch bug when using `plugins: local`
with hexo-theme-next.

## Problem

When using `plugins: local`, the NexT theme was using hardcoded CDN integrity
hashes for local files, causing browser SRI (Subresource Integrity) validation
failures. All vendor assets were blocked, resulting in blank pages.

## Root Cause

The theme's `_vendors.yml` contains integrity hashes for CDN versions of
libraries. When `plugins: local` was enabled, the plugin copied files from
node_modules which had different content than the CDN versions, but the theme
still used the CDN hashes.

## Solution

The plugin now:
- Calculates SHA-256 integrity hashes for all files it copies
- Stores hashes in `localIntegrityMap` object
- Exports `getLocalIntegrity(path)` function for theme integration
- Registers `next_vendor_integrity` Hexo helper for template access
- Adds debug logging for calculated hashes

## Changes

- Add `crypto` module import for hash calculation
- Add `calculateIntegrity()` function to compute SHA-256 hashes in SRI format
- Modify `readFile()` to calculate and store hashes for all copied files
- Convert module.exports to named function `pluginMain` for better extensibility
- Export `getLocalIntegrity()` function to expose hash map to consumers
- Register Hexo helper for template/theme access to hashes
- Add informational logging

## Theme Integration

For complete fix, the theme's `scripts/events/lib/vendors.js` should be
updated to use these local hashes when `plugins === 'local'`:

```javascript
const shouldUseIntegrity = plugins !== 'local';
vendors[key] = {
  url: links[plugins] || links.cdnjs,
  integrity: shouldUseIntegrity ? value.integrity : undefined
};
```

Or to use calculated hashes:

```javascript
let integrityHash = value.integrity;
if (plugins === 'local' && typeof internal === 'function') {
  const localHash = internal.getLocalIntegrity(`lib/${name}/${file}`);
  if (localHash) integrityHash = localHash;
}
```

## Testing

Tested with:
- hexo-theme-next latest version
- Verified integrity hashes match actual file content
- Confirmed no SRI errors in browser when using `plugins: local`
- All vendor assets load correctly

## Breaking Changes

None - maintains full backward compatibility.

## Related Issues

Fixes the "integrity hash bug" that prevented using `plugins: local`.
pivaldi added a commit to pivaldi/hexo-theme-next that referenced this pull request Feb 12, 2026
When `vendors.plugins` is set to `local`, integrity hashes are now
computed from the actual local files via `@next-theme/plugins`
`getLocalIntegrity()` rather than using the hardcoded CDN hashes from
`_vendors.yml`.

This fixes SRI (Subresource Integrity) validation failures that caused
browsers to block all vendor assets when self-hosting, resulting in
blank pages.

CDN mode is unaffected: hardcoded hashes from `_vendors.yml` are still
used when `plugins` is not `local`.

Depends on: next-theme/plugins#347
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments