feat: use calculated integrity hashes for local vendor plugins

pivaldi · pivaldi · commit 0602137c36a5 · 2026-02-12T23:32:03.000+01:00
When `vendors.plugins` is set to `local`, integrity hashes are now computed from the actual local files via `@next-theme/plugins` `getLocalIntegrity()` rather than using the hardcoded CDN hashes from `_vendors.yml`. This fixes SRI (Subresource Integrity) validation failures that caused browsers to block all vendor assets when self-hosting, resulting in blank pages. CDN mode is unaffected: hardcoded hashes from `_vendors.yml` are still used when `plugins` is not `local`. Depends on: next-theme/plugins#347
diff --git a/scripts/events/lib/vendors.js b/scripts/events/lib/vendors.js
@@ -1,55 +1,71 @@
-'use strict';
+"use strict";
 
-const fs = require('fs');
-const path = require('path');
-const yaml = require('js-yaml');
-const { url_for } = require('hexo-util');
-const { getVendors } = require('./utils');
+const fs = require("fs");
+const path = require("path");
+const yaml = require("js-yaml");
+const { url_for } = require("hexo-util");
+const { getVendors } = require("./utils");
 
 let internal;
 try {
-  internal = require('@next-theme/plugins');
-} catch {
-}
-const vendorsFile = fs.readFileSync(path.join(__dirname, '../../../_vendors.yml'));
+  internal = require("@next-theme/plugins");
+} catch {}
+const vendorsFile = fs.readFileSync(
+  path.join(__dirname, "../../../_vendors.yml"),
+);
 const dependencies = yaml.load(vendorsFile);
 
-module.exports = hexo => {
+module.exports = (hexo) => {
   const { vendors, creative_commons, pace } = hexo.theme.config;
-  if (typeof internal === 'function') {
+  if (typeof internal === "function") {
     internal(hexo, dependencies);
   }
-  let { plugins = 'cdnjs' } = vendors;
-  if (plugins === 'local' && typeof internal === 'undefined') {
-    hexo.log.warn('Dependencies for `plugins: local` not found. The default CDN provider CDNJS is used instead.');
-    hexo.log.warn('Run `npm install @next-theme/plugins` in Hexo site root directory to install the plugin.');
-    plugins = 'cdnjs';
+  let { plugins = "cdnjs" } = vendors;
+  if (plugins === "local" && typeof internal === "undefined") {
+    hexo.log.warn(
+      "Dependencies for `plugins: local` not found. The default CDN provider CDNJS is used instead.",
+    );
+    hexo.log.warn(
+      "Run `npm install @next-theme/plugins` in Hexo site root directory to install the plugin.",
+    );
+    plugins = "cdnjs";
   }
   for (const [key, value] of Object.entries(dependencies)) {
     // This script will be executed repeatedly when Hexo listens file changes
     // But the variable vendors[key] only needs to be modified once
-    if (vendors[key] && typeof vendors[key] === 'string') {
+    if (vendors[key] && typeof vendors[key] === "string") {
       vendors[key] = {
-        url: url_for.call(hexo, vendors[key])
+        url: url_for.call(hexo, vendors[key]),
       };
       continue;
     }
-    if (key === 'creative_commons') {
-      value.file = `${value.dir}/${creative_commons.size}/${creative_commons.license.replace(/-/g, '_')}.svg`;
+    if (key === "creative_commons") {
+      value.file = `${value.dir}/${creative_commons.size}/${creative_commons.license.replace(/-/g, "_")}.svg`;
     }
-    if (key === 'pace_css') {
+    if (key === "pace_css") {
       value.file = `${value.dir}/${pace.color}/pace-theme-${pace.theme}.css`;
     }
     const { name, file } = value;
     const links = getVendors({
       ...value,
       minified: file,
-      local   : url_for.call(hexo, `lib/${name}/${file}`),
-      custom  : vendors.custom_cdn_url
+      local: url_for.call(hexo, `lib/${name}/${file}`),
+      custom: vendors.custom_cdn_url,
     });
+
+    // For local plugins, use calculated integrity hash from the plugin
+    // For CDN, use the hardcoded hash from _vendors.yml
+    let integrityHash = value.integrity;
+    if (plugins === "local" && typeof internal === "function") {
+      const localHash = internal.getLocalIntegrity(`lib/${name}/${file}`);
+      if (localHash) {
+        integrityHash = localHash;
+      }
+    }
+
     vendors[key] = {
-      url      : links[plugins] || links.cdnjs,
-      integrity: value.integrity
+      url: links[plugins] || links.cdnjs,
+      integrity: integrityHash,
     };
   }
 };
