-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add sri-history file and update process #476
Conversation
"axe.js": "sha256-rkyHB2lHjs+tissQLBUxuxIvWlzRbS4f4cdaH+TjQvo=", | ||
"axe.min.js": "sha256-MGWkallV18uw6bSq6w8cjbGsf9v4rJtXP+NDtMEbO14=" | ||
}, | ||
"2.3.1": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I ran it my hashes changed for aXe-2.3.1, is that because there are changes on the develop branch but the version is still at 2.3.1?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, because this branched from dev, which has changes that aren't in 2.3.1. If you replace your axe.js file with the 2.3.1 release it'll match.
We need docs for this, since it isn't immediately clear when we should be running this command. It already impacted our latest releases of aXe-core. |
@marcysutton Was it because we're not using |
|
I can add a comment to the build file explaining it further. We shouldn't be doing this stuff manually anyway. We'll have Attest-master ready before the next release, so we'll automate this step. But yeah, not using |
No, it's because I moved to |
Since axe-core is injected into many many web pages, it is very important that we’re able to check the integrity of the file we’re injecting. Keeping the SRI of all previously published versions around makes this much easier.
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity