Skip to content

docs(security): pin CDN integration examples to an immutable npm release instead of @main#26

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/sleepy-rubin-bcb1it
Open

docs(security): pin CDN integration examples to an immutable npm release instead of @main#26
dmchaledev wants to merge 1 commit into
mainfrom
claude/sleepy-rubin-bcb1it

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Problem

Every integration example in the README — Plain HTML, Hugo, CDN via jsDelivr, React, and Vue (5 occurrences) — loads the component from jsDelivr via a mutable branch ref:

https://cdn.jsdelivr.net/gh/HailBytes/vulnerability-calculator@main/hailbytes-vuln-calculator.js

@main is not a version — it resolves to whatever is currently on the main branch. jsDelivr serves that live. For a widget that's explicitly designed to be embedded on third-party marketing sites (Hugo, React, Vue, plain HTML — per the README's own pitch), this means:

  • Every push to main instantly changes the code running on every embedding page, with no review or opt-in on the embedder's side.
  • A repo compromise (or a single bad commit) becomes a supply-chain incident across every site that copied these snippets — the canonical risk that version pinning exists to prevent.
  • It's especially incongruous for a security company's security tooling, where the README itself recommends "use encrypted channels" and hardening elsewhere.

This isn't covered by any open issue or PR (which focus on calculate() input handling, DOM-free import, the test glob, and dead repo links).

Fix

Pin all five examples to the immutable, provenance-signed npm release via jsDelivr's npm endpoint:

https://cdn.jsdelivr.net/npm/@hailbytes/vulnerability-calculator@1.0.0/hailbytes-vuln-calculator.js

1.0.0 is the current latest on npm, and the publish workflow already ships it with npm publish --provenance, so a pinned version is both immutable on jsDelivr and independently verifiable. Also added a short note in the CDN section explaining why to pin a version rather than track a branch, and how to opt into auto-patching with a @1 range if desired (with the immutability tradeoff called out).

Scope

  • Docs only — README.md (5 URL pins + a security note) and a CHANGELOG.md entry.
  • No source, API, or behavior changes. npm test65 passing, 0 failing.

🤖 Generated with Claude Code

https://claude.ai/code/session_01QmmE1BqPXoCj9wPA8rgmBX


Generated by Claude Code

The README integration examples (Plain HTML, Hugo, CDN, React, Vue) all
loaded the script from jsDelivr via the mutable `gh/...@main` branch ref.
For a widget embedded on third-party sites, that means any push to `main`
(or a repo compromise) silently ships unreviewed code to every embedder.

Pin all five examples to the immutable, provenance-signed npm release
(`npm/@hailbytes/vulnerability-calculator@1.0.0`) and add a short note
explaining why to pin a version rather than track a branch.

Docs-only change; no source or behavior changes. All 65 tests pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QmmE1BqPXoCj9wPA8rgmBX
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants