[SRI] integrity missing for client chunks #74147
Description
Link to the code that reproduces this issue
https://github.com/darthmaim-reproductions/vercel-next.js-74147
To Reproduce
- Clone the reproduction
- Run
npm run build - Open
.next/server/app/index.htmland observe that not all<script>s haveintegrityset.<script src="/_next/static/chunks/app/page-612aade09630a289.js" async=""></script>
Current vs. Expected behavior
When the app contains any client chunks ('use client'), those chunks don't have integrity set. Other chunks (like main-app-xxx.js) have the integrity attribute.
All scripts should have integrity.
Provide environment information
Node.js v22.5.1
Operating System:
Platform: linux
Arch: x64
Version: #1 SMP Tue Nov 5 00:21:55 UTC 2024
Available memory (MB): 15953
Available CPU cores: 8
Binaries:
Node: 22.5.1
npm: 10.8.2
Yarn: 1.22.22
pnpm: N/A
Relevant Packages:
next: 15.1.1-canary.13 // Latest available version is detected (15.1.1-canary.13).
eslint-config-next: N/A
react: 19.0.0
react-dom: 19.0.0
typescript: 5.3.3
Next.js Config:
output: N/AWhich area(s) are affected? (Select all that apply)
Not sure
Which stage(s) are affected? (Select all that apply)
next build (local)
Additional context
SRI was recently added to the Node.js runtime in #73891, which also mentions this shortcoming:
In a follow-up we should also add support for adding the integrity attribute to client component chunks that are injected into the head during server-side rendering, but that needs a change in React first.
Note that the chunk hash is correctly included in .next/server/subresource-integrity-manifest.json, its just missing in the html.
Related: