Skip to content

docs: pin CDN examples to immutable npm version instead of @main branch#36

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/sleepy-rubin-lt3qpy
Open

docs: pin CDN examples to immutable npm version instead of @main branch#36
dmchaledev wants to merge 1 commit into
mainfrom
claude/sleepy-rubin-lt3qpy

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

The README's integration examples (CDN, Hugo, React, Vue) tell every embedder to load the component from a branch URL:

https://cdn.jsdelivr.net/gh/HailBytes/vulnerability-calculator@main/hailbytes-vuln-calculator.js

Loading @main in production is risky and slow:

  • Unpinned / no rollback — every push to main instantly changes the deployed widget for all embedders. A bad commit breaks every embedding site at once, with no version to roll back to and no stable hash to SRI-pin.
  • Poorly cached — jsDelivr caches branch refs for only ~12h, versus permanently caching immutable, resolved version files. Branch URLs mean repeated revalidation and slower loads.
  • An immutable artifact already exists — the package is published to npm (v1.0.0), but none of the docs pointed at it.

Change

Switch all 5 CDN references to the npm-pinned jsDelivr path:

https://cdn.jsdelivr.net/npm/@hailbytes/vulnerability-calculator@1/hailbytes-vuln-calculator.js

The @1 major-version pin auto-tracks patch/minor releases while keeping each resolved version immutable and permanently cacheable. Added a short note documenting the pinning strategy (and how to lock to an exact version with @1.0.0).

Docs-only — no code or behavior changes.

Verification

  • All 5 @main references replaced; grep confirms zero remain.
  • The referenced file (hailbytes-vuln-calculator.js) is the package main and is included in the published tarball's files array, so the npm CDN path resolves to the same module.

🤖 Generated with Claude Code

https://claude.ai/code/session_017CHCPxQmCRx9zozfEPzWm9


Generated by Claude Code

The README told every CDN/Hugo/React/Vue embedder to load the component
from `cdn.jsdelivr.net/gh/HailBytes/vulnerability-calculator@main/...`.

Loading `@main` is problematic for production embeds:
- Unpinned: every push to main instantly changes the deployed widget for
  all embedders, with no rollback and no way to SRI-pin a moving target.
- Poorly cached: jsDelivr caches branch refs for only ~12h, versus
  permanently caching immutable version tags.
- The package is already published to npm (v1.0.0) — an immutable,
  versioned artifact the docs never pointed at.

Switch all 5 CDN references to the npm-pinned jsDelivr path
(`@1`), which auto-tracks patch/minor releases within the major while
keeping each resolved version immutable and permanently cached. Add a
note documenting the pinning strategy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017CHCPxQmCRx9zozfEPzWm9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants