grant/ten31-database
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Vendor + SRI-pin front-end libs; add render smoke gate (v0.1.0:82)

Browse Source 
React/ReactDOM/Babel were loaded from the unpkg CDN at runtime — react@18
and react-dom@18 weren't even exact-pinned, and none had SRI. A CDN swap (or
react auto-resolving a new 18.x) could blank the whole app with no change on
our side: exactly the v78/v79 blank-screen class. It also made the self-hosted
box depend on outbound internet to render.

Vendor the three libs into frontend/assets/vendor/ (React 18.3.1, ReactDOM
18.3.1, @babel/standalone 7.29.7) and load them same-origin with sha384
integrity attributes. They now ship inside the s9pk (Dockerfile already COPYs
frontend/; server.py serves /assets/* with the path-containment check), so a
CDN can never swap prod deps again and no outbound fetch is needed at runtime.

Add start9/0.4/render-smoke.mjs: a jsdom render smoke check that (1) runs the
shipped Babel over the app's inline JSX and asserts a classic, non-module,
parseable script (the v79 ESM-import regression), and (2) mounts the app in
jsdom and asserts the login UI renders (the v78 blank-screen class). Wired into
the default `make` goal so every package build is gated on the frontend
actually rendering — closing the "verified live via curl only" gap. jsdom is a
build-time devDependency, not shipped in the image.
This commit is contained in:
Keysat
2026-06-16 16:10:26 -05:00
parent 45fd037e3b
commit 40a0270a99
11 changed files with 1309 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
frontend/index.html
+15 -7
View File
@@ -6,13 +6,21 @@
<title>Ten31 database</title>
<link rel="icon" type="image/png" href="/assets/ten31-inverted-square.png">
<link rel="shortcut icon" href="/assets/ten31-inverted-square.png">
<script crossorigin src="https://unpkg.com/react@18/umd/react.production.min.js"></script>
<script crossorigin src="https://unpkg.com/react-dom@18/umd/react-dom.production.min.js"></script>
<!-- Pinned: Babel 8 defaults @babel/preset-react to the automatic JSX runtime,
which emits `import {jsx} from "react/jsx-runtime"` — illegal in this classic
(non-module) inline script and blanks the whole app. Stay on the 7.x line,
whose preset-react defaults to the classic runtime (React.createElement). -->
<script src="https://unpkg.com/@babel/standalone@7.29.7/babel.min.js"></script>
<!-- Vendored + SRI-pinned (v0.1.0:82). These ship inside the s9pk and are served
same-origin from /assets/vendor/, so a CDN can never swap our prod deps (the
v78/v79 blank-screen class) and the box needs no outbound internet to render.
The integrity hashes are sha384 of the exact bytes below; regenerate with
`openssl dgst -sha384 -binary FILE | openssl base64 -A` if you re-vendor.
Babel stays on the 7.x line on purpose: Babel 8 defaults @babel/preset-react
to the automatic JSX runtime, which emits `import {jsx} from "react/jsx-runtime"`
— illegal in this classic (non-module) inline script and blanks the whole app.
7.x preset-react defaults to the classic runtime (React.createElement). -->
<script src="/assets/vendor/react-18.3.1.production.min.js"
integrity="sha384-DGyLxAyjq0f9SPpVevD6IgztCFlnMF6oW/XQGmfe+IsZ8TqEiDrcHkMLKI6fiB/Z"></script>
<script src="/assets/vendor/react-dom-18.3.1.production.min.js"
integrity="sha384-gTGxhz21lVGYNMcdJOyq01Edg0jhn/c22nsx0kyqP0TxaV5WVdsSH1fSDUf5YJj1"></script>
<script src="/assets/vendor/babel-standalone-7.29.7.min.js"
integrity="sha384-ezQ6HS3FLspd9te19o2McUV6FAK091+GG7KO54f/R8DKgCDi7fULhapNrd5LY+vG"></script>
<style>
@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Sans:wght@400;500;600;700&family=IBM+Plex+Mono:wght@500;600&display=swap');