Would there be any interest in supporting a way to exclude imports to specific modules from integrity hash calculation and enforcement?
Something like:
new SubresourceIntegrityPlugin({
hashFuncNames: ["sha256", "sha384"],
excludeImports: ["@inhouse-module-federated/*", "@inhouse/gigantic-veeeery-trustworthy-package-i-know-what-i-am-doing-please"]
}),
would exclude all imports starting with @inhouse-module-federated/ prefix (perhaps because it's a module federated package and we have a different way of enforcing SRI for those) and also @inhouse/gigantic-veeeery-trustworthy-package-i-know-what-i-am-doing-please (perhaps because computing the hash really slows build down and wise or not, the app owner can make the decision to exclude it).
This is related to #176. But I believe that this proposal is a better alternative: we avoid adding hidden features within webpack-subresource-integrity that take a dependency on implementation detail of webpack-module-federation.
Hi,
Would there be any interest in supporting a way to exclude imports to specific modules from integrity hash calculation and enforcement?
Something like:
would exclude all imports starting with
@inhouse-module-federated/
prefix (perhaps because it's a module federated package and we have a different way of enforcing SRI for those) and also@inhouse/gigantic-veeeery-trustworthy-package-i-know-what-i-am-doing-please
(perhaps because computing the hash really slows build down and wise or not, the app owner can make the decision to exclude it).This is related to #176. But I believe that this proposal is a better alternative: we avoid adding hidden features within
webpack-subresource-integrity
that take a dependency on implementation detail ofwebpack-module-federation
.