Subresource Integrity error

[DamianGlowala]

Version

nuxt-security: 1.2.1
nuxt: 3.10.3

Reproduction Link

n/a

Steps to reproduce

n/a

What is Expected?

No SRI error after deploying to Azure Static Web Apps with azure preset with default Nuxt Security's SRI config.

What is actually happening?

[Baroshem]

Hey @DamianGlowala

Thabks for reporting this issue.

@vejja do you maybe have a clue what could be the issue here?

[vejja]

Looking at it right now, I can confirm the issue

[vejja]

@DamianGlowala we are facing the regression since Nuxt 3.9.0
Not sure where it comes from, but Buffers are involved in the bug

@Baroshem: the easiest way to fix the issue is to upgrade from Nuxt 3.8 to Nuxt 3.10, are you ok with that?

[DamianGlowala]

@vejja, really appreciate you looking into this!

Shall I temporarily try overriding nuxt dependency to e.g. 3.10.3 and see whether this works?

[vejja]

@vejja, really appreciate you looking into this!

Shall I temporarily try overriding nuxt dependency to e.g. 3.10.3 and see whether this works?

It won't work by only upgrading version
Issue in detail is that unstorage's getItem method can now sometimes return a Buffer instead of an object at https://github.com/Baroshem/nuxt-security/blob/main/src/runtime/nitro/plugins/03-subresourceIntegrity.ts#L25

[vejja]

Update
It's difficult to fix both for Nuxt 3.8 and 3.9+
The reason is that something has changed in the way Nuxt bundles strings:

• Up until 3.8, strings were bundled as strings :
  

• From 3.9, strings are converted to base64 Uint8Array :
  

I think this could be related to the upgrade to Vite 5 / Rollup 4 that happened with Nuxt 3.9

I am submitting a PR to fix, it includes the upgrade to Nuxt 3.10

@DamianGlowala I can see that you are involved in Nuxt Core, if you have some smarter alternative let me know

[vejja]

Hi @Baroshem
I think this one should also be closed by 1.3.1

[Baroshem]

@DamianGlowala coukd you confirm?

[DamianGlowala]

I've updated to v1.3.2, removed sri: false and the issue appears to remain.

[vejja]

Hi @DamianGlowala
Is it possible to nuxi upgrade --force if you are still with Nuxt 3.10 ?

[DamianGlowala]

I am currently on Nuxt v3.11.2. Ran the nuxi upgrade --force and had a look at the lockfile - nothing relevant changed which could have an impact on Nuxt Security module, only @vue/compiler-sfc version bumps 😄

[vejja]

This is really annoying...
Would you mind backing up the lockfile, deleting it and also the whole node_modules directory, and then reinstalling with a fresh npm install ? Then comparing the 2 lockfiles ?
Sorry to ask for such a dumb approach, but if you can do this it would be very helpful because I think we have a dependency issue and I can't locate it

[Baroshem]

@DamianGlowala have you tried it? :)

(Closed by mistake)

[vejja]

Hi @DamianGlowala

I managed to track the upstream error. Source issue is in nitro@2.9.2: unjs/nitro#2217
Was resolved by unjs/nitro#2239 which was merged in nitro@2.9.3

Could you check this dependency to see if it works now ?

[DamianGlowala]

Hi @vejja!

I am currently using nitropack@2.9.6. Checked the lockfile and no other version is listed there. Might try adding an override anyway and see whether this works. Thank you so much for the help so far!

[Baroshem]

@vejja @DamianGlowala I released patch 1.4.3 with a fix for that. Could you check if it works now? :)