Support calculating integrity hashes for local assets automatically

rafaelfranca · rafaelfranca · commit 8d61814651ec · 2025-07-15T17:57:15.000Z
When `integrity: true` is used with `pin_all_from` or `pin`, the
importmap will automatically calculate integrity hashes for local assets
served by the Rails asset pipeline. This eliminates the need to manually
manage integrity hashes for local files, enhancing security and
simplifying development.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -37,6 +37,7 @@ jobs:
 
     env:
       BUNDLE_GEMFILE: gemfiles/rails_${{ matrix.rails-version }}_${{ matrix.assets-pipeline }}.gemfile
+      ASSETS_PIPELINE: ${{ matrix.assets-pipeline }}
 
     steps:
       - uses: actions/checkout@v4
diff --git a/Appraisals b/Appraisals
@@ -17,7 +17,6 @@ end
 
 appraise "rails_7.0_propshaft" do
   gem "rails", github: "rails/rails", branch: "7-0-stable"
-  gem "propshaft"
   gem "sqlite3", "~> 1.4"
 end
 
@@ -29,7 +28,6 @@ end
 
 appraise "rails_7.1_propshaft" do
   gem "rails", "~> 7.1.0"
-  gem "propshaft"
 end
 
 appraise "rails_7.2_sprockets" do
@@ -40,7 +38,6 @@ end
 
 appraise "rails_7.2_propshaft" do
   gem "rails", "~> 7.2.0"
-  gem "propshaft"
 end
 
 appraise "rails_8.0_sprockets" do
@@ -51,7 +48,6 @@ end
 
 appraise "rails_8.0_propshaft" do
   gem "rails", "~> 8.0.0"
-  gem "propshaft"
 end
 
 appraise "rails_main_sprockets" do
@@ -62,5 +58,4 @@ end
 
 appraise "rails_main_propshaft" do
   gem "rails", github: "rails/rails", branch: "main"
-  gem "propshaft"
 end
diff --git a/Gemfile b/Gemfile
@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 gemspec
 
 gem "rails"
-gem "propshaft"
+gem "propshaft", github: "rails/propshaft", branch: "main"
 
 gem "sqlite3"
 
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,3 +1,13 @@
+GIT
+  remote: https://github.com/rails/propshaft.git
+  revision: 9bcad5fa48efac2f26568e5d019409a1784839d0
+  branch: main
+  specs:
+    propshaft (1.1.0)
+      actionpack (>= 7.0.0)
+      activesupport (>= 7.0.0)
+      rack
+
 PATH
   remote: .
   specs:
@@ -111,7 +121,7 @@ GEM
       activesupport (>= 6.1)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    io-console (0.8.0)
+    io-console (0.8.1)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
@@ -150,11 +160,6 @@ GEM
     pp (0.6.2)
       prettyprint
     prettyprint (0.2.0)
-    propshaft (1.1.0)
-      actionpack (>= 7.0.0)
-      activesupport (>= 7.0.0)
-      rack
-      railties (>= 7.0.0)
     psych (5.2.6)
       date
       stringio
@@ -257,7 +262,7 @@ DEPENDENCIES
   byebug
   capybara
   importmap-rails!
-  propshaft
+  propshaft!
   rails
   rexml
   selenium-webdriver
diff --git a/README.md b/README.md
@@ -79,10 +79,15 @@ If you want to import local js module files from `app/javascript/src` or other s
 ```rb
 # config/importmap.rb
 pin_all_from 'app/javascript/src', under: 'src', to: 'src'
+
+# With automatic integrity calculation for enhanced security
+pin_all_from 'app/javascript/controllers', under: 'controllers', integrity: true
 ```
 
 The `:to` parameter is only required if you want to change the destination logical import name. If you drop the :to option, you must place the :under option directly after the first parameter.
 
+The `integrity: true` option automatically calculates integrity hashes for all files in the directory, providing security benefits without manual hash management.
+
 Allows you to:
 
 ```js
@@ -181,6 +186,52 @@ If you have existing pins without integrity hashes, you can add them using the `
 ./bin/importmap integrity --update
 ```
 
+### Automatic integrity for local assets
+
+For local assets served by the Rails asset pipeline (like those created with `pin` or `pin_all_from`), you can use `integrity: true` to automatically calculate integrity hashes from the compiled assets:
+
+```ruby
+# config/importmap.rb
+
+# Automatically calculate integrity from asset pipeline
+pin "application", integrity: true
+pin "admin", to: "admin.js", integrity: true
+
+# Works with pin_all_from too
+pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
+pin_all_from "app/javascript/lib", under: "lib", integrity: true
+
+# Mixed usage
+pin "local_module", integrity: true              # Auto-calculated
+pin "cdn_package", integrity: "sha384-abc123..." # Pre-calculated
+pin "no_integrity_package"                       # No integrity (default)
+```
+
+This is particularly useful for:
+* **Local JavaScript files** managed by your Rails asset pipeline
+* **Bulk operations** with `pin_all_from` where calculating hashes manually would be tedious
+* **Development workflow** where asset contents change frequently
+
+The `integrity: true` option:
+* Uses the Rails asset pipeline's built-in integrity calculation
+* Works with both Sprockets and Propshaft
+* Automatically updates when assets are recompiled
+* Gracefully handles missing assets (returns `nil` for non-existent files)
+
+**Example output with `integrity: true`:**
+```json
+{
+  "imports": {
+    "application": "/assets/application-abc123.js",
+    "controllers/hello_controller": "/assets/controllers/hello_controller-def456.js"
+  },
+  "integrity": {
+    "/assets/application-abc123.js": "sha256-xyz789...",
+    "/assets/controllers/hello_controller-def456.js": "sha256-uvw012..."
+  }
+}
+```
+
 ### How integrity works
 
 The integrity hashes are automatically included in your import map and module preload tags:
diff --git a/gemfiles/rails_7.0_propshaft.gemfile b/gemfiles/rails_7.0_propshaft.gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", branch: "7-0-stable", git: "https://github.com/rails/rails.git"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3", "~> 1.4"
 
 group :development do
diff --git a/gemfiles/rails_7.1_propshaft.gemfile b/gemfiles/rails_7.1_propshaft.gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 7.1.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do
diff --git a/gemfiles/rails_7.2_propshaft.gemfile b/gemfiles/rails_7.2_propshaft.gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 7.2.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do
diff --git a/gemfiles/rails_8.0_propshaft.gemfile b/gemfiles/rails_8.0_propshaft.gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 8.0.0"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do
diff --git a/gemfiles/rails_main_propshaft.gemfile b/gemfiles/rails_main_propshaft.gemfile
@@ -3,7 +3,7 @@
 source "https://rubygems.org"
 
 gem "rails", branch: "main", git: "https://github.com/rails/rails.git"
-gem "propshaft"
+gem "propshaft", branch: "main", git: "https://github.com/rails/propshaft.git"
 gem "sqlite3"
 
 group :development do
diff --git a/lib/importmap/map.rb b/lib/importmap/map.rb
@@ -30,9 +30,9 @@ def pin(name, to: nil, preload: true, integrity: nil)
     @packages[name] = MappedFile.new(name: name, path: to || "#{name}.js", preload: preload, integrity: integrity)
   end
 
-  def pin_all_from(dir, under: nil, to: nil, preload: true)
+  def pin_all_from(dir, under: nil, to: nil, preload: true, integrity: nil)
     clear_cache
-    @directories[dir] = MappedDir.new(dir: dir, under: under, path: to, preload: preload)
+    @directories[dir] = MappedDir.new(dir: dir, under: under, path: to, preload: preload, integrity: integrity)
   end
 
   # Returns an array of all the resolved module paths of the pinned packages. The `resolver` must respond to
@@ -92,9 +92,21 @@ def preloaded_module_paths(resolver:, entry_point: "application", cache_key: :pr
   #   packages = importmap.preloaded_module_packages(resolver: helpers, cache_key: "cdn_host")
   def preloaded_module_packages(resolver:, entry_point: "application", cache_key: :preloaded_module_packages)
     cache_as(cache_key) do
-      expanded_preloading_packages_and_directories(entry_point:).to_h do |_, package|
-        [resolve_asset_path(package.path, resolver: resolver), package]
-      end.delete_if { |key| key.nil? }
+      expanded_preloading_packages_and_directories(entry_point:).filter_map do |_, package|
+        resolved_path = resolve_asset_path(package.path, resolver: resolver)
+        next unless resolved_path
+
+        resolved_integrity = resolve_integrity_value(package.integrity, package.path, resolver: resolver)
+
+        package = MappedFile.new(
+          name: package.name,
+          path: package.path,
+          preload: package.preload,
+          integrity: resolved_integrity
+        )
+
+        [resolved_path, package]
+      end.to_h
     end
   end
 
@@ -138,7 +150,7 @@ def cache_sweeper(watches: nil)
   end
 
   private
-    MappedDir  = Struct.new(:dir, :path, :under, :preload, keyword_init: true)
+    MappedDir  = Struct.new(:dir, :path, :under, :preload, :integrity, keyword_init: true)
     MappedFile = Struct.new(:name, :path, :preload, :integrity, keyword_init: true)
 
     def cache_as(name)
@@ -190,10 +202,22 @@ def build_integrity_hash(packages, resolver:)
         resolved_path = resolve_asset_path(mapping.path, resolver: resolver)
         next unless resolved_path
 
-        [resolved_path, mapping.integrity]
+        integrity_value = resolve_integrity_value(mapping.integrity, mapping.path, resolver: resolver)
+        next unless integrity_value
+
+        [resolved_path, integrity_value]
       end.to_h
     end
 
+    def resolve_integrity_value(integrity, path, resolver:)
+      case integrity
+      when true
+        resolver.asset_integrity(path)
+      when String
+        integrity
+      end
+    end
+
     def expanded_preloading_packages_and_directories(entry_point:)
       expanded_packages_and_directories.select { |name, mapping| mapping.preload.in?([true, false]) ? mapping.preload : (Array(mapping.preload) & Array(entry_point)).any? }
     end
@@ -210,7 +234,12 @@ def expand_directories_into(paths)
             module_name     = module_name_from(module_filename, mapping)
             module_path     = module_path_from(module_filename, mapping)
 
-            paths[module_name] = MappedFile.new(name: module_name, path: module_path, preload: mapping.preload)
+            paths[module_name] = MappedFile.new(
+              name: module_name,
+              path: module_path,
+              preload: mapping.preload,
+              integrity: mapping.integrity
+            )
           end
         end
       end
diff --git a/test/dummy/config/initializers/assets.rb b/test/dummy/config/initializers/assets.rb
@@ -11,3 +11,5 @@
 # application.js, application.css, and all non-JS/CSS in the app/assets
 # folder are already added.
 # Rails.application.config.assets.precompile += %w( admin.js admin.css )
+
+Rails.application.config.assets.integrity_hash_algorithm = "sha384"
diff --git a/test/importmap_test.rb b/test/importmap_test.rb
@@ -89,6 +89,35 @@ def setup
     assert_match %r|assets/my_lib-.*\.js|, generate_importmap_json["imports"]["my_lib"]
   end
 
+  test "importmap json includes integrity hashes from integrity: true" do
+    importmap = Importmap::Map.new.tap do |map|
+      map.pin "application", integrity: true
+    end
+
+    json = JSON.parse(importmap.to_json(resolver: ApplicationController.helpers))
+
+    assert json["integrity"], "Should include integrity section"
+
+    application_path = json["imports"]["application"]
+    assert application_path, "Should include application in imports"
+    if ENV["ASSETS_PIPELINE"] == "sprockets"
+      assert_equal "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", json["integrity"][application_path]
+    else
+      assert_equal "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", json["integrity"][application_path]
+    end
+  end
+
+  test "integrity: true with missing asset should be gracefully handled" do
+    importmap = Importmap::Map.new.tap do |map|
+      map.pin "missing", to: "nonexistent.js", preload: true, integrity: true
+    end
+
+    json = JSON.parse(importmap.to_json(resolver: ApplicationController.helpers))
+
+    assert_empty json["imports"]
+    assert_nil json["integrity"]
+  end
+
   test 'invalid importmap file results in error' do
     file = file_fixture('invalid_import_map.rb')
     importmap = Importmap::Map.new
@@ -243,6 +272,18 @@ def setup
     assert_equal "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", packages[editor_path].integrity
   end
 
+  test "pin with integrity: true should calculate integrity dynamically" do
+    importmap = Importmap::Map.new.tap do |map|
+      map.pin "editor", to: "rich_text.js", preload: true, integrity: "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb"
+    end
+
+    packages = importmap.preloaded_module_packages(resolver: ApplicationController.helpers)
+
+    editor_path = packages.keys.find { |path| path.include?("rich_text") }
+    assert editor_path, "Should include editor package"
+    assert_equal "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", packages[editor_path].integrity
+  end
+
   test "preloaded_module_packages uses custom cache_key" do
     set_one = @importmap.preloaded_module_packages(resolver: ApplicationController.helpers, cache_key: "1").to_s
 
@@ -279,6 +320,23 @@ def setup
     assert existing_path, "Should include existing asset"
   end
 
+  test "pin_all_from with integrity: true should calculate integrity dynamically" do
+    importmap = Importmap::Map.new.tap do |map|
+      map.pin_all_from "app/javascript/controllers", under: "controllers", integrity: true
+    end
+
+    packages = importmap.preloaded_module_packages(resolver: ApplicationController.helpers)
+
+    controller_path = packages.keys.find { |path| path.include?("goodbye_controller") }
+    assert controller_path, "Should include goodbye_controller package"
+    if ENV["ASSETS_PIPELINE"] == "sprockets"
+      assert_equal "sha256-6yWqFiaT8vQURc/OiKuIrEv9e/y4DMV/7nh7s5o3svA=", packages[controller_path].integrity
+    else
+      assert_equal "sha384-k7HGo2DomvN21em+AypqCekIFE3quejFnjQp3NtEIMyvFNpIdKThZhxr48anSNmP", packages[controller_path].integrity
+    end
+    assert_not_includes packages.map { |_, v| v.integrity }, nil
+  end
+
   private
     def generate_importmap_json
       @generate_importmap_json ||= JSON.parse @importmap.to_json(resolver: ApplicationController.helpers)
