refactor: Simplify SRI support to only add X-Integrity header with SHA-512

Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>
Merge branch 'master' into copilot/fix-634
2025-10-07 14:32:58 +00:00 · 2025-10-07 22:16:18 +08:00 · 2025-10-06 07:40:45 +00:00 · 2025-10-06 15:37:50 +08:00 · 2025-10-06 15:23:33 +08:00 · 2025-10-06 07:19:47 +00:00
3 changed files with 33 additions and 1 deletions
--- a/app/core/service/PackageVersionFileService.ts
+++ b/app/core/service/PackageVersionFileService.ts
@@ -356,7 +356,8 @@ export class PackageVersionFileService extends AbstractService {
    const dist = pkg.createPackageVersionFile(distPath, pkgVersion.version, {
      size: stat.size,
      shasum: distIntegrity.shasum,
-      integrity: distIntegrity.integrity,
+      // Store the combined SRI string for enhanced SRI support while maintaining backwards compatibility
+      integrity: distIntegrity.sri.combined,
    });
    await this.distRepository.saveDist(dist, localFile);
    file = PackageVersionFile.create({
--- a/app/port/controller/PackageVersionFileController.ts
+++ b/app/port/controller/PackageVersionFileController.ts
@@ -218,6 +218,12 @@ export class PackageVersionFileController extends AbstractController {
      return formatFileItem(file);
    }
    ctx.set('cache-control', FILE_CACHE_CONTROL);
+    
+    // Add SRI header for subresource integrity verification
+    if (file.dist.integrity) {
+      ctx.set('X-Integrity', file.dist.integrity);
+    }
+    
    // https://github.com/cnpm/cnpmcore/issues/693#issuecomment-2955268229
    ctx.type = ensureContentType(file.contentType);
    return await this.distRepository.getDistStream(file.dist);
--- a/test/port/controller/PackageVersionFileController/raw.test.ts
+++ b/test/port/controller/PackageVersionFileController/raw.test.ts
@@ -786,5 +786,30 @@ describe('test/port/controller/PackageVersionFileController/raw.test.ts', () =>
        `[NOT_FOUND] ${pkg.name}@1.0.40000404 not found`
      );
    });
+
+    it('should include X-Integrity header when serving raw files', async () => {
+      mock(app.config.cnpmcore, 'allowPublishNonScopePackage', true);
+      const pkg = await TestUtil.getFullPackage({
+        name: 'integrity-test-package',
+        version: '1.0.0',
+      });
+      await app
+        .httpRequest()
+        .put(`/${pkg.name}`)
+        .set('authorization', publisher.authorization)
+        .set('user-agent', publisher.ua)
+        .send(pkg)
+        .expect(201);
+
+      // Test raw file access includes X-Integrity header
+      const res = await app
+        .httpRequest()
+        .get(`/${pkg.name}/1.0.0/files/package.json`)
+        .expect(200);
+
+      // Should include X-Integrity header with SHA-512
+      assert.ok(res.headers['x-integrity'], 'Missing X-Integrity header');
+      assert.ok(res.headers['x-integrity'].startsWith('sha512-'), 'X-Integrity header should be SHA-512');
+    });
  });
 });
Author	SHA1	Message	Date
copilot-swe-agent[bot]	29b77cd698	refactor: Simplify SRI support to only add X-Integrity header with SHA-512 Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-10-07 14:32:58 +00:00
MK (fengmk2)	980145cf07	Merge branch 'master' into copilot/fix-634	2025-10-07 22:16:18 +08:00
copilot-swe-agent[bot]	12c48a61bf	fix: Resolve all lint errors in SRI test files Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-10-06 07:40:45 +00:00
MK (fengmk2)	92fb4897cd	Merge branch 'master' into copilot/fix-634	2025-10-06 15:37:50 +08:00
MK (fengmk2)	53db58a85a	Merge branch 'master' into copilot/fix-634	2025-10-06 15:23:33 +08:00
copilot-swe-agent[bot]	cb5c6e513c	docs: Remove incorrect configuration references from SRI documentation Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-10-06 07:19:47 +00:00
copilot-swe-agent[bot]	9eeb916cab	test: Add comprehensive unit tests for SRI headers and metadata Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-10-06 07:16:36 +00:00
MK (fengmk2)	ca9753a5f5	Merge branch 'master' into copilot/fix-634	2025-10-06 15:07:29 +08:00
copilot-swe-agent[bot]	de24601b60	Add SRI documentation and integration tests Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-09-10 12:55:47 +00:00
copilot-swe-agent[bot]	124eb4dd06	Implement enhanced SRI support for unpkg files Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>	2025-09-10 12:52:56 +00:00
copilot-swe-agent[bot]	e960a36fde	Initial plan	2025-09-10 12:40:21 +00:00