Add SRI support for Node.js Runtime #73891
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Failing test suitesCommit: 417ae25
Expand output● persistent-caching › should persistent cache loaders Read more about building and testing Next.js in contributing.md. |
Stats from current PRDefault Build (Increase detected
|
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| buildDuration | 17.5s | 15.6s | N/A |
| buildDurationCached | 14.8s | 12.4s | N/A |
| nodeModulesSize | 410 MB | 410 MB | |
| nextStartRea..uration (ms) | 471ms | 475ms | N/A |
Client Bundles (main, webpack)
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| 1187-HASH.js gzip | 51.4 kB | 51.4 kB | N/A |
| 8276.HASH.js gzip | 169 B | 168 B | N/A |
| 8377-HASH.js gzip | 5.36 kB | 5.36 kB | N/A |
| bccd1874-HASH.js gzip | 53 kB | 53 kB | N/A |
| framework-HASH.js gzip | 57.5 kB | 57.5 kB | N/A |
| main-app-HASH.js gzip | 232 B | 235 B | N/A |
| main-HASH.js gzip | 34.1 kB | 34.1 kB | N/A |
| webpack-HASH.js gzip | 1.71 kB | 1.71 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Legacy Client Bundles (polyfills)
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| polyfills-HASH.js gzip | 39.4 kB | 39.4 kB | ✓ |
| Overall change | 39.4 kB | 39.4 kB | ✓ |
Client Pages
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| _app-HASH.js gzip | 193 B | 193 B | ✓ |
| _error-HASH.js gzip | 193 B | 193 B | ✓ |
| amp-HASH.js gzip | 512 B | 510 B | N/A |
| css-HASH.js gzip | 343 B | 342 B | N/A |
| dynamic-HASH.js gzip | 1.84 kB | 1.84 kB | ✓ |
| edge-ssr-HASH.js gzip | 265 B | 265 B | ✓ |
| head-HASH.js gzip | 363 B | 362 B | N/A |
| hooks-HASH.js gzip | 393 B | 392 B | N/A |
| image-HASH.js gzip | 4.49 kB | 4.49 kB | N/A |
| index-HASH.js gzip | 268 B | 268 B | ✓ |
| link-HASH.js gzip | 2.35 kB | 2.34 kB | N/A |
| routerDirect..HASH.js gzip | 328 B | 328 B | ✓ |
| script-HASH.js gzip | 397 B | 397 B | ✓ |
| withRouter-HASH.js gzip | 323 B | 326 B | N/A |
| 1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
| Overall change | 3.59 kB | 3.59 kB | ✓ |
Client Build Manifests
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| _buildManifest.js gzip | 749 B | 746 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| index.html gzip | 523 B | 523 B | ✓ |
| link.html gzip | 538 B | 537 B | N/A |
| withRouter.html gzip | 519 B | 520 B | N/A |
| Overall change | 523 B | 523 B | ✓ |
Edge SSR bundle Size
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| edge-ssr.js gzip | 128 kB | 128 kB | N/A |
| page.js gzip | 204 kB | 204 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Middleware size
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| middleware-b..fest.js gzip | 671 B | 669 B | N/A |
| middleware-r..fest.js gzip | 155 B | 156 B | N/A |
| middleware.js gzip | 31.3 kB | 31.3 kB | N/A |
| edge-runtime..pack.js gzip | 844 B | 844 B | ✓ |
| Overall change | 844 B | 844 B | ✓ |
Next Runtimes
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| 523-experime...dev.js gzip | 322 B | 322 B | ✓ |
| 523.runtime.dev.js gzip | 314 B | 314 B | ✓ |
| app-page-exp...dev.js gzip | 324 kB | 324 kB | ✓ |
| app-page-exp..prod.js gzip | 128 kB | 128 kB | ✓ |
| app-page-tur..prod.js gzip | 141 kB | 141 kB | ✓ |
| app-page-tur..prod.js gzip | 136 kB | 136 kB | ✓ |
| app-page.run...dev.js gzip | 314 kB | 314 kB | ✓ |
| app-page.run..prod.js gzip | 124 kB | 124 kB | ✓ |
| app-route-ex...dev.js gzip | 37.5 kB | 37.5 kB | ✓ |
| app-route-ex..prod.js gzip | 25.5 kB | 25.5 kB | ✓ |
| app-route-tu..prod.js gzip | 25.5 kB | 25.5 kB | ✓ |
| app-route-tu..prod.js gzip | 25.3 kB | 25.3 kB | ✓ |
| app-route.ru...dev.js gzip | 39.1 kB | 39.1 kB | ✓ |
| app-route.ru..prod.js gzip | 25.3 kB | 25.3 kB | ✓ |
| pages-api-tu..prod.js gzip | 9.69 kB | 9.69 kB | ✓ |
| pages-api.ru...dev.js gzip | 11.6 kB | 11.6 kB | ✓ |
| pages-api.ru..prod.js gzip | 9.68 kB | 9.68 kB | ✓ |
| pages-turbo...prod.js gzip | 21.7 kB | 21.7 kB | ✓ |
| pages.runtim...dev.js gzip | 27.5 kB | 27.5 kB | ✓ |
| pages.runtim..prod.js gzip | 21.7 kB | 21.7 kB | ✓ |
| server.runti..prod.js gzip | 916 kB | 916 kB | N/A |
| Overall change | 1.45 MB | 1.45 MB | ✓ |
build cache Overall increase ⚠️
| vercel/next.js canary | vercel/next.js hl/sri-node | Change | |
|---|---|---|---|
| 0.pack gzip | 2.08 MB | 2.08 MB | |
| index.pack gzip | 73.4 kB | 73.5 kB | |
| Overall change | 2.15 MB | 2.15 MB |
Diff details
Diff for main-HASH.js
Diff too large to display
Diff for server.runtime.prod.js
Diff too large to display
|
This will fix |
unstubbable
added a commit
that referenced
this pull request
Dec 13, 2024
In #73891 we added another manifest to be loaded in `loadComponents`. This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason this increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.
unstubbable
force-pushed
the
hl/sri-node
branch
2 times, most recently
from
8395a2b to
f7f6a52
Compare
unstubbable
added a commit
that referenced
this pull request
Dec 13, 2024
In #73891 we added another manifest to be loaded in `loadComponents` (initially unconditionally). This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason the increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.
unstubbable
force-pushed
the
hl/sri-node
branch
from
f7f6a52 to
0cda604
Compare
wyattjoh
approved these changes
Dec 17, 2024
unstubbable
force-pushed
the
hl/sri-node
branch
from
0cda604 to
417ae25
Compare
Support for setting [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) attributes on app router scripts was added in #39729. But this only covered pages using the Edge Runtime. With this PR, we're adding support for pages using the Node.js Runtime. The only change that's needed for that, and which was probably just an oversight in the original PR, is reading the generated manifest file in `loadComponents`.
This reverts commit a3d27b2. This is not supported by Next.js yet, and will be added in a separate PR.
unstubbable
force-pushed
the
hl/sri-node
branch
from
417ae25 to
b386219
Compare
|
That's great. Good work 🫶 |
ztanner
pushed a commit
that referenced
this pull request
Dec 24, 2024
In #73891 we added another manifest to be loaded in `loadComponents` (initially unconditionally). This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason the increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.
ztanner
pushed a commit
that referenced
this pull request
Dec 24, 2024
In #73891 we added another manifest to be loaded in `loadComponents` (initially unconditionally). This uncovered a flakiness in prod mode when attempting to load an optional manifest. The non-existent manifest is attempted to be loaded three times with 100ms delay between attempts, before giving up. For some reason the increased loading time leads to more test flakiness. To mitigate this, we're limiting the retry behaviour to the dev mode, which matches the original intention when this was introduced in #45244.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
This PR is best reviewed with hidden whitespace changes.
Support for setting Subresource Integrity attributes on app router scripts was added in #39729. But this only covered pages using the Edge Runtime.
With this PR, we're adding support for app pages using the Node.js Runtime. The only change that's needed for that, and which was probably just an oversight in the original PR, is reading the generated manifest file in
loadComponents.In a follow-up we should also add support for adding the
integrityattribute to client component chunks that are injected into the head during server-side rendering, but that needs a change in React first.fixes #66901