Standard Subresource Integrity library -- parses, generates, and verifies integrity metadata according to the SRI spec.
npm install @readme/ssrissri, short for Standard Subresource
Integrity, is a Node.js utility for parsing generating, and verifying Subresource
Integrity hashes.
 
$ npm install --save @readme/ssri
* Example
* Features
* API
* parse
* create
* verify
* Differences from ssri
``javascript
const ssri = require('@readme/ssri')
const integrity = 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo'
// Parsing and serializing
const parsed = ssri.parse(integrity)
parsed.toString() // === integrity
// Sync data functions
ssri.create(fs.readFileSync('./my-file')) // === parsed
ssri.verify(fs.readFileSync('./my-file'), integrity) // => 'sha512'
`
* Parses and stringifies SRI strings.
* Generates SRI strings from raw data.
* Strict standard compliance.
* ?foo metadata option support.
* Small footprint: no dependencies, concise implementation.
* Full test coverage.
#### > ssri.parse(sri) -> Integrity
Parses an sri string into a Hash data structure.
`javascript`
{
source: 'sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo',
digest: '9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==',
algorithm: 'sha512',
options: ['foo']
}
##### Example
`javascript`
ssri.parse('sha512-9KhgCRIx/AmzC8xqYJTZRrnO8OW2Pxyl2DIMZSBOr0oDvtEFyht3xpp71j/r/pAe1DM+JI/A+line3jUBgzQ7A==?foo') // -> Hash object
#### > ssri.create(data, [opts]) -> Integrity
Creates an Integrity object from either string or Buffer data, calculating
all the requested hashes and adding any specified options to the object.
opts.algorithm determines which algorithm to generate a hash for. Result willHash
be contained within a object. The default value foropts.algorithm is sha512.
opts.options may optionally be passed in: it must be an array of optioncreate
strings that will be added to all generated integrity hashes generated by. This is a loosely-specified feature of SRIs, and currently has no?
specified semantics besides being -separated. Use at your own risk, and
probably avoid if your integrity strings are meant to be used with browsers.
##### Example
`javascript`
const integrityObj = ssri.create('foobarbaz', {
algorithm: 'sha256'
})
integrity.toString('\n')
// ->
// sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0=
#### > ssri.verify(data, sri) -> Hash|false
Verifies data integrity against an sri argument. data may be either aString or a Buffer, and sri can be any subresource integrityssri.parse
representation that can handle.
If verification succeeds, verify will return true, otherwise it will returnfalse.
##### Example
`javascript`
const data = fs.readFileSync('index.js').toString()
ssri.verify(data, ssri.create(data)) // -> true
ssri.verify(data, 'sha256-l981iLWj8kurw4UbNy8Lpxqdzd7UOxS50Glhv8FwfZ0')
ssri.verify(data, 'sha1-BaDDigEST') // -> false
* TypeScript first.
* Streams are not supported.
* Zero non-crypto dependencies.checkData
* Library offerings have been heavily paired down to only three methods.
* has been renamed to verify.verify
* now only returns a boolean.fromData
* has been renamed to to create.ssri
* Generating or parsing multiple integrity hashes is not supported.
* 's strict mode is now the default and only mode.Integrity
* The class is no more and parse, create will generate a Hash` object containing your single hash.