astro-shield

Fixes

• This release fixes an issue present in generated CSP directives : #76

Autogenerated Changelog

• docs: add missing license headers by @castarco in https://github.com/kindspells/astro-shield/pull/74
• chore: upgrade pnpm by @castarco in https://github.com/kindspells/astro-shield/pull/75
• chore: upgrade deps by @castarco in https://github.com/kindspells/astro-shield/pull/78
• fix: csp headers generation by @castarco in https://github.com/kindspells/astro-shield/pull/79

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.5...1.3.6

Security

• Limit postinstall scripts for the development repository. In principle, this doesn't directly affect the distributed code of this library, but it helps to reduce some supply chain risks.

Autogenerated Changelog

• security: limit postinstall scripts by @castarco in https://github.com/kindspells/astro-shield/pull/73

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.4...1.3.5

Security improvements

• The script matcher now is able to detect malformed closing tags (containing "pseudo-attributes" that shouldn't be there according to the spec). This lets Astro-Shield to be more effective at removing a wider range of malicious injected scripts from dynamically generated content.
• Some regular expressions have been reworked to mitigate the possibility polynomial or exponential execution time. This helps to prevent the possibility of DoS attacks via specially crafted strings intended to blow up the execution time of parsing code.

Autogenerated Changelog

• docs: enable sri in docs site by @castarco in https://github.com/kindspells/astro-shield/pull/61
• chore: optimise docs site local build by @castarco in https://github.com/kindspells/astro-shield/pull/62
• fix: capture a wider range of malicious input by @castarco in https://github.com/kindspells/astro-shield/pull/68

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.3...1.3.4

Minor fixes

• The previous release (1.3.2) introduced a minor warning message that, although not really problematic, was quite annoying. That was fixed.

Autogenerated Changelog

• fix: vite warning by @castarco in https://github.com/kindspells/astro-shield/pull/60

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.2...1.3.3

Fixes

• In previous releases, the introduction of allow-lists introduced a strange regression causing the generation of an inconsistent hashes module. This has been fixed now.

Security

• This release contains important security fixes. It is advisable to upgrade as soon as possible.

Autogenerated Changelog

• fix: ensure that allowed scripts are in hashes module by @castarco in https://github.com/kindspells/astro-shield/pull/58
• fix: do not trust integrity attribute when undeserved by @castarco in https://github.com/kindspells/astro-shield/pull/59

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.1...1.3.2

Development

• Configure monorepo

Documentation

• Moved documentation from the README.md file to https://astro-shield.kindspells.dev

Autogenerated Changelog

• docs: fix spacing problems in README by @castarco in https://github.com/kindspells/astro-shield/pull/48
• refactor: create pnpm workspace by @castarco in https://github.com/kindspells/astro-shield/pull/49
• Setup monorepo by @castarco in https://github.com/kindspells/astro-shield/pull/50
• docs: create starlight docs site by @castarco in https://github.com/kindspells/astro-shield/pull/53

Full Changelog: https://github.com/kindspells/astro-shield/compare/1.3.0...1.3.1

Security Fixes

If you were using Astro-Shield 1.2.0, it is quite relevant to upgrade to this new 1.3.0 version.

In this release we introduce many mitigations to some risks that were accidentally introduced in the past release with the new CSP headers generation for SSR content.

• Now it will be mandatory to explicitly allow-list any cross-origin resource that might be loaded from dynamically generated pages. This is necessary to avoid the possibility that Astro-Shield accidentally "signs" malicious injected scripts or stylesheets.
• It will also be possible to disallow SRI hashes generation for inline scripts or stylesheets, although we still allow them by default (we could change the default behavior in future releases, but we didn't want to introduce too many disruptive changes in a single release). The reason to disallow inline scripts in SSR content is the same as for the previous point, to protect the site against potential injections.

Other Changes

• We introduced a new way to define the SRI configuration, while keeping the old way for now (with warning messages about future deprecation).

Autogenerated Changelog

• docs: fix info box by @castarco in https://github.com/KindSpells/astro-shield/pull/44
• security: fix for major vulnerabilities by @castarco in https://github.com/KindSpells/astro-shield/pull/45

Full Changelog: https://github.com/KindSpells/astro-shield/compare/1.2.0...1.3.0

New Features

• Now it is possible to generate CSP headers for SSR (dynamic) pages

Minor improvements

• Improved some warning and error messages
• The hashes module generation now creates intermediate directories in case they don't exist, avoiding some annoying problems.

Development

• The code is now prepared for other improvements on the security headers front.

Autogenerated Changelog

• chore: minor corrections by @castarco in https://github.com/KindSpells/astro-shield/pull/39
• docs: gh sponsors by @castarco in https://github.com/KindSpells/astro-shield/pull/41
• feat: create provisional hashes module by @castarco in https://github.com/KindSpells/astro-shield/pull/40
• test: minor test improvements by @castarco in https://github.com/KindSpells/astro-shield/pull/42
• feat: support for CSP headers on SSR mode by @castarco in https://github.com/KindSpells/astro-shield/pull/43

Full Changelog: https://github.com/KindSpells/astro-shield/compare/1.1.0...1.2.0

Fixes

• Improved warning and error messages
• Improved documentation to cover edge cases and their workarounds

Performance

• Improved caching logic for static assets processing

Autogenerated Changelog

• docs: add Socket badge by @castarco in https://github.com/KindSpells/astro-shield/pull/31
• perf: improve static builds cache by @castarco in https://github.com/KindSpells/astro-shield/pull/32
• test: improve e2e coverage by @castarco in https://github.com/KindSpells/astro-shield/pull/34
• fix: show warn msg when manual workaround needed by @castarco in https://github.com/KindSpells/astro-shield/pull/35

Full Changelog: https://github.com/KindSpells/astro-shield/compare/1.0.1...1.1.0

Fixes

• Fixed a regression in the package release pipeline

Autogenerated Changelog

• fix: release scripts by @castarco in https://github.com/KindSpells/astro-shield/pull/30

Full Changelog: https://github.com/KindSpells/astro-shield/compare/1.0.0...1.0.1

New Features

• Middleware support! : Now it is possible for astro-shield to install a middleware that adds SRI hashes to dynamically generated pages, and not just static pages as until today.

Performance

• We introduced better caching to reduce the amount of network calls that astro-shield has to perform when generating SRI hashes for cross-origin resources.

Development

• New end-to-end tests: We introduced new e2e tests to ensure the quality and stability of this integration.
• Higher testing coverage: We increased the testing coverage requirements for this library.

Autogenerated Changelong

• feat!: big refactor, tests & features by @castarco in https://github.com/KindSpells/astro-shield/pull/29

Full Changelog: https://github.com/KindSpells/astro-shield/compare/0.5.1...1.0.0

Changes

• Fix documentation

Autogenerated Changelog

• docs: fix astro-shield refs by @castarco in https://github.com/KindSpells/astro-shield/pull/27

Full Changelog: https://github.com/KindSpells/astro-shield/compare/0.5.0...0.5.1

Breaking Changes

• The package was renamed to @kindspells/astro-shield
• The internal integration label was set to @kindspells/astro-shield

New Features

• Now it generates per-page SRI hashes, so we can use them to generate smaller CSP headers.

Autogenerated Changelog

• docs: add spdx license annotations by @castarco in https://github.com/KindSpells/astro-shield/pull/18
• ci: configure codecov by @castarco in https://github.com/KindSpells/astro-shield/pull/19
• test: increase tests coverage by @castarco in https://github.com/KindSpells/astro-shield/pull/20
• feat!: per-page sri hashes by @castarco in https://github.com/KindSpells/astro-shield/pull/25
• ci: set --access public for pnpm publish by @castarco in https://github.com/KindSpells/astro-shield/pull/26

Full Changelog: https://github.com/KindSpells/astro-shield/compare/0.4.2...0.5.0

Development Process Improvements

This release only improves how we release new versions of this package. From now on, all releases will be done from our Github Actions pipelines.

This will ensure that we are able to establish the provenance of that release, said in other words: this allows us to guarantee that the published package comes from a specific commit of this repository, without any alteration.

This guarantee is key for code supply chains security, and it will help with regulations and certifications compliance.

Autogenerated Changelog

• security: configure ci/cd builds & provenance by @castarco in https://github.com/KindSpells/astro-sri-csp/pull/15
• ci: workaround to allow pnpm publish from tag by @castarco in https://github.com/KindSpells/astro-sri-csp/pull/16
• fix: add missing install step in release workflow by @castarco in https://github.com/KindSpells/astro-sri-csp/pull/17

Full Changelog: https://github.com/KindSpells/astro-sri-csp/compare/0.4.1...0.4.2

Provenance Attestations

• SigStore Log Entry 71868022
• Associated Build Pipeline

Development Process Improvements

This release only improves how we release new versions of this package. From now on, all releases will be done from our Github Actions pipelines.

This will ensure that we are able to establish the provenance of that release, said in other words: this allows us to guarantee that the published package comes from a specific commit of this repository, without any alteration.

This guarantee is key for code supply chains security, and it will help with regulations and certifications compliance.

Auto-Generated Changelog

• security: configure ci/cd builds & provenance by @castarco in https://github.com/KindSpells/astro-sri-csp/pull/15

Full Changelog: https://github.com/KindSpells/astro-sri-csp/compare/0.4.1...0.4.2

Improvements

• Now this lib generates the crossorigin="anonymous" attribute for <script>, <style>, and <link rel="stylesheet"> elements when they refer to external cross-origin resources, to avoid credentials leaks.

Development improvements

• Added new tests
• Added CI pipeline to run tests publicly
• Added local git hooks to avoid pushing broken code

Improvements

• Improved <script> matchers to cover more uncommon cases
• Improved <style> matchers to cover more uncommon cases
• Improved <link rel="stylesheet"> matches to cover more uncommon cases

Fixes

• Use "private" type for the integration return type, to ensure that we won't have type mismatches because of Astro updates.

Improvements

• Generate SRI hashes for "external" scripts and styles (by external we mean not inlined, independently of whether they are remote or server from the same origin)
• Clarified documentation

Improvements

• Now there is no need to pass the dist path to the integration function
• Better documentation
• Better types

Breaking Changes

• Now parameters are passed as an options object instead of individual ordered values

What does this lib does?

• Transforms Astro's generated HTML files to add Subresource Integrity hashes to inlined scripts and styles.
• Generates a JS module that exports the list of script and styles hashes, so they can be used to generate CSP headers.