Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: [DX-3334] Add the Subresource Integrity attribute to Checkout files #2314

Merged
merged 11 commits into from
Oct 17, 2024
Merged

chore: [DX-3334] Add the Subresource Integrity attribute to Checkout files #2314

merged 11 commits into from
Oct 17, 2024

Conversation

zaidarain1
Copy link
Contributor

@zaidarain1 zaidarain1 commented Oct 16, 2024
edited
Loading

Fixes a security issue with checkout widgets where there were no integrity checks for the widgets files being downloaded from jsdelivr to ensure they weren't tampered with.

Changes:

  • In the PR workflow, if the widgets library package has changed and the new build output hashes havent been commited, the workflow will fail and instruct on how to update the hashes
  • Before downloading either the widgets-esm or widgets.js files, ensure their integrity with their hash
  • Push a hashes.json file that will be the source of truth for valid hashes

@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Oct 16, 2024
edited
Loading

☁️ Nx Cloud Report

CI is running/has finished running commands for commit e4d3336. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

✅ Successfully ran 4 targets

Sent with 💌 from NxCloud.

@zaidarain1 zaidarain1 force-pushed the chore/DX-3334-subresource-integrity-checkout branch from fc06987 to 40ebc83 Compare October 16, 2024 07:59
@zaidarain1 zaidarain1 marked this pull request as ready for review October 16, 2024 09:22
@zaidarain1 zaidarain1 requested review from a team as code owners October 16, 2024 09:22
@zaidarain1 zaidarain1 marked this pull request as draft October 16, 2024 09:23
@zaidarain1 zaidarain1 force-pushed the chore/DX-3334-subresource-integrity-checkout branch 2 times, most recently from b7a9dc4 to c81eeea Compare October 17, 2024 00:56
@zaidarain1 zaidarain1 marked this pull request as ready for review October 17, 2024 01:37
jwhardwick
jwhardwick previously approved these changes Oct 17, 2024
View reviewed changes
shineli1984
shineli1984 previously approved these changes Oct 17, 2024
View reviewed changes
immutable-art
immutable-art previously approved these changes Oct 17, 2024
View reviewed changes
@zaidarain1 zaidarain1 force-pushed the chore/DX-3334-subresource-integrity-checkout branch from 8802638 to e4d3336 Compare October 17, 2024 05:30
@zaidarain1 zaidarain1 added this pull request to the merge queue Oct 17, 2024
Merged via the queue into main with commit aa44226 Oct 17, 2024
9 checks passed
@zaidarain1 zaidarain1 deleted the chore/DX-3334-subresource-integrity-checkout branch October 17, 2024 06:11
@zaidarain1 zaidarain1 mentioned this pull request Oct 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shineli1984 shineli1984 shineli1984 approved these changes

@luads luads luads approved these changes

@immutable-art immutable-art immutable-art left review comments

@jwhardwick jwhardwick jwhardwick left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zaidarain1 @luads @jwhardwick @shineli1984 @immutable-art