gitwtfhub

wtf is webpack-subresource-integrity?

gaearon/webpack-subresource-integrity — explained in plain English

Analysis updated 2026-07-17 · repo last pushed 2016-12-08

3JavaScriptAudience · developerComplexity · 2/5DormantSetup · easy

TL;DR

A Webpack plugin that adds Subresource Integrity hashes to bundled files so browsers reject tampered scripts and stylesheets.

Mindmap

mindmap
  root((repo))
    What it does
      Adds SRI hashes
      Signs JS and CSS
      Verifies file integrity
    Tech stack
      JavaScript
      Webpack
    Use cases
      Secure CDN delivery
      Protect code splitting
      Harden production builds
    Audience
      Developers
    Setup
      Install as webpack plugin
      Works with html-webpack-plugin

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Protect production JavaScript and CSS bundles served from a CDN against tampering.

REASON 2

Automatically add integrity attributes to script and link tags via html-webpack-plugin.

REASON 3

Secure code-splitting and lazy-loaded chunks with hash verification.

REASON 4

Guard against malicious file modification for third-party-served assets.

What's in the stack?

JavaScriptWebpack

How it stacks up

gaearon/webpack-subresource-integrityamarjitjim/browserpilotandershaig/cssess
Stars333
LanguageJavaScriptJavaScriptJavaScript
Last pushed2016-12-082011-08-19
MaintenanceDormantDormant
Setup difficultyeasymoderateeasy
Complexity2/53/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · easy Time to first run · 30min

Older Chrome 45-46 had SRI bugs, disable in dev mode since HMR isn't protected.

Yoink these prompts

Prompt 1
Help me add this Subresource Integrity plugin to my existing Webpack config.
Prompt 2
Explain how this plugin calculates and embeds integrity hashes for code-split chunks.
Prompt 3
What browser compatibility issues should I watch for when using this SRI plugin in production?
Prompt 4
Walk me through how this plugin integrates with html-webpack-plugin to add integrity attributes automatically.

Frequently asked questions

wtf is webpack-subresource-integrity?

A Webpack plugin that adds Subresource Integrity hashes to bundled files so browsers reject tampered scripts and stylesheets.

What language is webpack-subresource-integrity written in?

Mainly JavaScript. The stack also includes JavaScript, Webpack.

Is webpack-subresource-integrity actively maintained?

Dormant — no commits in 2+ years (last push 2016-12-08).

How hard is webpack-subresource-integrity to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is webpack-subresource-integrity for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.