Reintroduce Subresource Integrity hashes in the previews and as a separate option in the README

README.md

@@ -20,6 +20,11 @@ Use the following in the `<head>` tag of your HTML document(s):
 
 This guarantees that you will always use the latest version of the library.
 
+If, instead, you'd like to include the latest version explicitly, you can add the following tag:
+```html
+<script src="https://twemoji.maxcdn.com/v/12.1.3/twemoji.min.js" integrity="sha384-PEQg4NJbyXT+TJJVKYN9zmD5ehVaV3TiBdzovT7WkshNClGNg8+bk4hKQ+lGrgaw" crossorigin="anonymous"></script>
+```
+
 ### Download
 
 If instead you want to download a specific version, please look at the `gh-pages` branch, where you will find the built assets for both our latest and older versions.

scripts/create-dist

@@ -7,6 +7,7 @@
 const fs = require('fs-extra');
 const path = require('path');
 const { spawnSync } = require('child_process');
+const { getIntegrityHash } = require('./utils');
 
 function file(...which) {
   return path.join(__dirname, '..', ...which);
@@ -55,6 +56,16 @@ fs.unlinkSync(distFile('twemoji.tmp.js'));
 fs.writeFileSync(distFile('twemoji.min.js'), `${copyright}\n${minifiedContents}`);
 fs.writeFileSync(distFile('twemoji.esm.js'), `${copyright}\n${minifiedContents}\nexport default twemoji;`);
 
+const integrityHash = getIntegrityHash(distFile('twemoji.min.js'));
+const { version } = require('../package.json');
+
+function updateSriScriptReference(filename) {
+  const newScript = `<script src="https://twemoji.maxcdn.com/v/${version}/twemoji.min.js" integrity="${integrityHash}"`;
+  fs.writeFileSync(filename, fs.readFileSync(filename).toString('utf8').replace(/<script src="[^ ]*" integrity="[^ ]*"/, newScript));
+}
+
+updateSriScriptReference(file('README.md'));
+
 // Copy the png assets and svgs to the dist folder
 fs.copySync(file('assets/svg'), distFile('svg'));
 fs.copySync(file('assets/72x72'), distFile('72x72'));

scripts/preview

@@ -37,7 +37,8 @@ fs.readdir(file('assets/ai'), function (err, files) {
         }).join('');
       }).join('</li>\n      <li>')+ '</li>'
     )
-    .replace('{{version}}', version);
+    .replace('{{version}}', version)
+    .replace('{{integrityHash}}', Utils.getIntegrityHash(distFile('twemoji.min.js')));
   fs.writeFileSync(
     distFile('preview.html'),
     page.replace(

scripts/utils.js

@@ -1,3 +1,5 @@
+const { spawnSync } = require('child_process');
+
 function fromCodePoint(codepoint) {
   var code = typeof codepoint === 'string' ?
         parseInt(codepoint, 16) : codepoint;
@@ -26,3 +28,13 @@ function UTF162JSON(text) {
   return r.join('');
 }
 module.exports.UTF162JSON = UTF162JSON;
+
+function getIntegrityHash(filename) {
+  const algorithm = 'sha384';
+  const digest = spawnSync('openssl', ['dgst', `-${algorithm}`, '-binary', filename]);
+  if (digest.status || digest.signal){
+    throw new Error(digest.stderr.toString('utf8'));
+  }
+  return `${algorithm}-${digest.stdout.toString('base64')}`;
+}
+module.exports.getIntegrityHash = getIntegrityHash;

src/templates/preview.html

@@ -25,7 +25,7 @@
       vertical-align: -0.1em;
     }
     </style>
-    <script src="https://twemoji.maxcdn.com/v/{{version}}/twemoji.min.js" crossorigin="anonymous"></script>
+    <script src="https://twemoji.maxcdn.com/v/{{version}}/twemoji.min.js" integrity="{{integrityHash}}"crossorigin="anonymous"></script>
   </head>
   <body>
     <ul class="emoji-list">