Shouldn't versions of JS libraries be pinned in Configuration.php and elsewhere?

[cloudscape-germany]

Describe the problem/question

In, i.e.: https://github.com/PrivateBin/PrivateBin/blob/master/lib/Configuration.php

js/dark-mode-switch.js
js/prettify.js
js/legacy.js
js/privatebin.js

are not pinned to versions. Wouln't this create conflicts, especially but not limited to SRI? Wouldn't it be better to either use a specific version or provide with i.e. "privatebin?1.7.4"?

Did you use the FAQ section?

• Yes, I have read the FAQ and I found no solution/answer there.

What you did?

1. Update SRIs
2. Notice that JS libraries are inconsistently pinned to versions, some are and some are not.

What happens

No response

What should happen

No response

Additional information

No response

Server address

No response

Server OS

No response

Webserver

No response

PrivateBin version

No response

Browser and version

No response

Local operating system and version

No response

Issue reproducibility

Yes, reproducible on https://privatebin.net.

[elrido]

All JS files are versioned in the templates, as delivered to the visitor - they either have the version as part of the file name or get a cache breaker version of PrivateBin appended as GET parameter (so the visitor will see "js/privatebin.js?1.2.3"). Those 4 files are part of PrivateBins codebase, so their version is the PrivateBin version upon release. Between releases, the SRI hashes should be changed every time one of these files is updated, but we don't consider the file version to be different, as it isn't part of a new release yet.

[cloudscape-germany]

So, given the latest release at the time of writing is 2.0.3., the best practice would be to provide cache buster for those 4 in-house files with the version of the latest release, i.e.

js/dark-mode-switch.js?2.0.3
js/prettify.js?2.0.3
js/legacy.js?2.0.3
js/privatebin.js?2.0.3

[elrido]

This is exactly how it is already implented and you don't need to change anything to get to see those versions in your installation. This is automatically done by the View class, when it renders the template out:

PrivateBin/lib/View.php

Lines 76 to 78 in 9a29894

	// if the file isn't versioned (ends in a digit), add our own version
	$cacheBuster = (bool) preg_match('#[0-9]\.js$#', (string) $file) ?
	'' : '?' . rawurlencode($this->_variables['VERSION']);