Calculating Subresource Integrity Hashes is annoying with some things, and it took me a little searching to find how to do an integrity hash for unpkg, so here’s some info!
The package ref https://unpkg.com/nunjucks@3.2.4/ redirects to https://unpkg.com/nunjucks@3.2.4/browser/nunjucks.js
From this github issue, SRI data is available by prefixing _meta on the
URL, and it comes back as a JSON blob:
$ curl -sL 'https://unpkg.com/_meta/nunjucks@3.2.4/browser/nunjucks.js' \
| jq .
{
"path": "/browser/nunjucks.js",
"type": "file",
"contentType": "application/javascript",
"integrity": "sha384-ZyhcL7OTZmp/dXwM/EDo+Fm1L0W9jWuZhFvl9iu5O1T8fRCKDjQNZdwxBduOQ/w6",
"lastModified": "Sat, 26 Oct 1985 08:15:00 GMT",
"size": 220104
}
So you can get just the value with:
$ curl -sL 'https://unpkg.com/_meta/nunjucks@3.2.4/browser/nunjucks.js' \
| jq -r .integrity
sha384-ZyhcL7OTZmp/dXwM/EDo+Fm1L0W9jWuZhFvl9iu5O1T8fRCKDjQNZdwxBduOQ/w6
Woo!
A slightly more convoluted jq example is to pull it from the base but filter based on the response, because it comes
as nested JSON:
curl -sL 'https://unpkg.com/_meta/nunjucks@3.2.4/' | \
jq '.files[] | select(.path=="/browser") | .files[] | select(.path=="/browser/nunjucks.js")'
{
"path": "/browser/nunjucks.js",
"type": "file",
"contentType": "application/javascript",
"integrity": "sha384-ZyhcL7OTZmp/dXwM/EDo+Fm1L0W9jWuZhFvl9iu5O1T8fRCKDjQNZdwxBduOQ/w6",
"lastModified": "Sat, 26 Oct 1985 08:15:00 GMT",
"size": 220104
}