Update dependencies and calculate correct integrity hashes for local files#347
Open
pivaldi wants to merge 13 commits intonext-theme:mainfrom
Open
Update dependencies and calculate correct integrity hashes for local files#347pivaldi wants to merge 13 commits intonext-theme:mainfrom
pivaldi wants to merge 13 commits intonext-theme:mainfrom
Conversation
This patch fixes the integrity hash mismatch bug when using `plugins: local`
with hexo-theme-next.
## Problem
When using `plugins: local`, the NexT theme was using hardcoded CDN integrity
hashes for local files, causing browser SRI (Subresource Integrity) validation
failures. All vendor assets were blocked, resulting in blank pages.
## Root Cause
The theme's `_vendors.yml` contains integrity hashes for CDN versions of
libraries. When `plugins: local` was enabled, the plugin copied files from
node_modules which had different content than the CDN versions, but the theme
still used the CDN hashes.
## Solution
The plugin now:
- Calculates SHA-256 integrity hashes for all files it copies
- Stores hashes in `localIntegrityMap` object
- Exports `getLocalIntegrity(path)` function for theme integration
- Registers `next_vendor_integrity` Hexo helper for template access
- Adds debug logging for calculated hashes
## Changes
- Add `crypto` module import for hash calculation
- Add `calculateIntegrity()` function to compute SHA-256 hashes in SRI format
- Modify `readFile()` to calculate and store hashes for all copied files
- Convert module.exports to named function `pluginMain` for better extensibility
- Export `getLocalIntegrity()` function to expose hash map to consumers
- Register Hexo helper for template/theme access to hashes
- Add informational logging
## Theme Integration
For complete fix, the theme's `scripts/events/lib/vendors.js` should be
updated to use these local hashes when `plugins === 'local'`:
```javascript
const shouldUseIntegrity = plugins !== 'local';
vendors[key] = {
url: links[plugins] || links.cdnjs,
integrity: shouldUseIntegrity ? value.integrity : undefined
};
```
Or to use calculated hashes:
```javascript
let integrityHash = value.integrity;
if (plugins === 'local' && typeof internal === 'function') {
const localHash = internal.getLocalIntegrity(`lib/${name}/${file}`);
if (localHash) integrityHash = localHash;
}
```
## Testing
Tested with:
- hexo-theme-next latest version
- Verified integrity hashes match actual file content
- Confirmed no SRI errors in browser when using `plugins: local`
- All vendor assets load correctly
## Breaking Changes
None - maintains full backward compatibility.
## Related Issues
Fixes the "integrity hash bug" that prevented using `plugins: local`.
pivaldi
added a commit
to pivaldi/hexo-theme-next
that referenced
this pull request
Feb 12, 2026
When `vendors.plugins` is set to `local`, integrity hashes are now computed from the actual local files via `@next-theme/plugins` `getLocalIntegrity()` rather than using the hardcoded CDN hashes from `_vendors.yml`. This fixes SRI (Subresource Integrity) validation failures that caused browsers to block all vendor assets when self-hosting, resulting in blank pages. CDN mode is unaffected: hardcoded hashes from `_vendors.yml` are still used when `plugins` is not `local`. Depends on: next-theme/plugins#347
10 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See the commit message of the last commit.
The rest are just version updates of the dependencies.