This is bootstrap's official CDN stylsheet:
<link rel="stylesheet"
href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.2/css/bootstrap.min.css"
integrity="sha384-Smlep5jCw/wG7hdkwQ/Z5nLIefveQRIY9nfy6xoR1uRYBtpZgI6339F5dgvm/e9B"
crossorigin="anonymous">
However in my markup I don't hardcode the version because that can change, so I pull it out of my build system or app. A fictitious example:
<link rel="stylesheet" href="https://foo.bar.com/jquery/$VERSION/all.min.js" />
As you can see $VERSION is not hardcoded. So I can change which version I'm using during the build process (in package.json) and not have to edit my app.
Now I want to add integrity in the same way. I was hoping I could find it in a package.json, but for bootsrap for example it's not there. I assume for other packages too.
I know I can calculate it like this:
echo -n "alert('Hello, world.');" | openssl dgst -sha384 -binary | openssl base64 -A
but I don't want to overcomplicate my build system.
Is there some place I can get this value from, without having to hardcode it? I pull the version automatically from my project's package.json (or the one in node_modules/bootstrap) so I am hoping to do something similar for integrity.
Since the value isn't easily accessible from the package.json or elsewhere in a package's directory, I use the ssri npm module.
More work, but doesn't look like there's a better way.