SRI for jquery-migrate plugin

Hi, I’m working on a WordPress plugin that provides updated jQuery to the WordPress frontend in a robust and secure manner. It allows the user to select their preferred public CDN (or no CDN) and secures both jQuery and jQuery Migrate with SRI - serving them locally in the event that the client fails to retrieve it from the CDN or the SRI fails.

For jQuery 3.5.1 there are no issues if the webmaster chooses cdnjs but for jquery-migrate (minified version) there is a problem.

The jquery-migrate-3.3.0.min.js downloaded from jQuery.com and hosted on the jQuery CDN has an SRI of

sha256-wZ3vNXakH9k4P00fNGAlbN0PkpKSyhRa76IFy4V1PYE=

However on CDNJS the file has an SRI of

sha256-lubBd1CVmtB9FHh+c1CWkr4jCSiszGj7bhzWPpNgw1A=

I need to understand why it is different here before I can compensate in my plugin to use a different SRI when CDNJS is the chosen CDN to serve jQuery + migrate plugin from.

Looking at the code of both I noticed that the cdnjs version has //# sourceMappingURL=jquery-migrate.min.map at the end of the file and this will result in a different hash value.
I didn’t notice any other differences, but I didn’t compare in detail both files.

1 Like

Ah okay that makes perfect sense. Thank you.