The #1 free and open source CDN built to make life easier for developers.
Table of Contents
Introduction
This is the robot-only repository for cdnjs, where all the library assets that are hosted on cdnjs are stored. For the JSON files that control the libraries we host, please see the "human" cdnjs/packages
repository.
Other Repositories
For the JSON files controlling the libraries we host on cdnjs, please take a look at the "human" cdnjs/packages
repository.
For our website, please refer to the cdnjs/static-website
repository.
For the cdnjs API, please refer to the cdnjs/api-server
repository.
For the full cdnjs branding and brand-related assets/guidelines, please see the cdnjs/brand
repository.
For our monthly CDN stats and usage reports, check out the cdnjs/cf-stats
repository.
You can find all our repositories at github.com/cdnjs!
Contributing
As this repository is now considered robot-only, pull requests are no longer accepted for this repository. If you are looking to contribute to cdnjs, please take a look at the cdnjs/packages
repository or any of our other open-source repositories on GitHub!
Sponsors
cdnjs wouldn't be the success that it is today without our sponsors' kind support. These companies currently support cdnjs:
If you are interested in becoming a sponsor, please feel free to contact us!
License
Each library is released under its own license. This cdnjs repository is published under MIT license.
CORS/404 mega-issue: Responses lack access-control-allow-origin occasionally due to 404
Hello, from today I found that when accessing
cdnjs
, the server will respond 404 or the response header will lackaccess-control-allow-origin: *
header. For example, my web app just made a request tohttps://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js
, then get the response header under:Since it lacks
access-control-allow-origin: *
header, the script is not loaded and my web app is broken.Problematic files are quite random, when I access the same file in a different time it's sometimes good and sometimes bad. Also, it seems like depending on client's network, the frequency also differs.
On my mobile network this issue never happens, but in my company, it happens frequently, and in a VM it's 100%. (Always some URLs are broken)
Is there some maintenance or server issue affecting particular routes or? Thank you very much!
Add [email protected] w/ npm auto-update
Pull request for issue: # Related issue(s): # #
Checklist for Pull request or lib adding request issue follows the conventions.
Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.
Profile of the lib
Essential checklist
Auto-update checklist
Git commit checklist
No more manual pull request for lib updating
Hey guys,
We are going to try switch the project to be fully automated. This will take a bit of time and will be a bit rocky at the beginning but will save every bodies time.
We currently have two auto update systems, the old one which uses NPM and will remain active until we transfer it. And a new one that uses git tags. The new one is what we will use by default but it doesn't support NPM just yet so we can only add new auto update scripts for git. We can also add the old style NPM ones I will just transfer them at a later date.
During this process, I think it's best if only I merge PR's to make sure we don't cause too many problems at once. I still need to write up documentation. So from this point on don't merge any new libraries into cdnjs. @drewfreyling @PeterDaveHello @ryankirkman
Update Amcharts auto-update config and meta data
git repo url: https://github.com/amcharts/amcharts3 Watch 4 Star 7 Fork 3 @Amomo could u help me check this PR for #5337 ? thank you!
Add [email protected] w/ npm auto-update
Pull request for issue: #10184 Related issue(s): # #
Checklist for Pull request or lib adding request issue follows the conventions.
Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.
Profile of the lib
Essential checklist
Auto-update checklist
Git commit checklist
[Request] Add videojs-markers
Library name: videojs-markers Git repository url: https://github.com/spchuang/videojs-markers License(s): MIT Official homepage: http://sampingchuang.com/videojs-markers
In this issue, we are going to host a new web front-end library on cdnjs, so that web developer can easily use it on our free CDN without additional download/upload process 🚀 .
If you'll like to work locally, I'll suggest you start with sparseCheckout: https://github.com/cdnjs/cdnjs/blob/master/documents/sparseCheckout.md, since there are too many files in this repo, without sparseCheckout, the whole process will be super slow, using git command line can learn more skills and experience, if you don't like that, instead, you can also just do it on GitHub, it's more convenient, but it may be a little bit harder to fix problems on GitHub gui.
Here are the docs about how to add a library:
We'll also ask to setup auto-update config so that the added libraries can be updated to the latest version easily:
For beginners who is interested in join and help add this library, please feel free to tell me what kind of help you'll need, we'll help you send the valid pull request, thanks 😄 .
Add missing license field in libs' package.json
cc #5194, https://github.com/cdnjs/new-website/issues/66
Should be care of the libs with multiple licenses, especially the libs have commercial license.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
Add [email protected] w/ git auto-update
cc #10036, cc @6pac , @mleibman @kennynaoh please help me review this PR, thank you.
Pull request for issue: #10036 Related issue(s): # #
Checklist for Pull request or lib adding request issue follows the conventions.
Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.
Profile of the lib
Essential checklist
Auto-update checklist
Git commit checklist
[New] Manually add timbre w/ npm auto-update
git repo url: https://github.com/mohayonao/timbre.js Watch 59 Star 611 Fork 50 @Piicksarn could u help me check this PR for #6110 ? thank you!
Add jsrsasign js files for old versions and change to use git auto-update
@cdnjs/intern2 Please help me review this PR, thanks!
Pull request for issue: #10881 It's a high priority issue.
[Solved] Frequent "Waiting for cdnjs.org" with Chrome
Over the past several days I have noticed some pretty lengthy delays waiting for the server at cdnjs.org to respond to whatever request has been sent from Chrome and Chromium browsers. There appear to be no such delays with Opera or Firefox. I don't know if this is an issue with the cdnjs servers or with the Chrome code. If I can provide any additional information please let me know.
Chromium: Version 41.0.2272.76 Built on Ubuntu 14.04, running on LinuxMint 17.1 (64-bit)
SRI hash for ipaddr.js does not match
I'm seeing some quite odd behaviour with the ipaddr.js library:
Firstly, here is the correct SRI hash for [email protected]. I've crosschecked this between the original file in the source project, the file served by cdnjs, and the same file served by another CDN and they all match.
When I go to the library's page on the cdnjs website, the "Copy SRI Hash" and "Copy Script Tag" buttons both provide this hash:
I have also just confirmed this behaviour via a VPN to the UK, so it doesn't seem to just be a cached invalid value in my local CF edge.
Suggestion: Weekly/Monthly/Yearly Hits
Hey, @cdnjs team. I have a suggesting regarding hits. We can have a item in the api response json regarding hits. JsDelivr also provides an api and It is widely used for badges like
. Likewise If cdnjs.com also has a similar api it would be really useful
Allow modules and other attributes in script tags when copied
If someone wants to put a module on CDNJS, then currently when clicking "Copy script tag" it turns out something like this:
what if in the json files describing the file, we could also add other attributes, e.g.
Now clicking "copy script tag" would do this for the file in question:
(oh, and of course only certain attributes would be whitelisted, so that people can't do onerror, or onload)
Prevent path traversal to allow Content Security Policy specificity
We would like to use cdnjs.com for serving our assets, and we would like to use a Content Security Policy (CSP) as part of our security strategy to limit access to only libraries we want, e.g. React and not those we don't that can be used to bypass CSP and run an exploit like Angular.
E.g.
script-src: https://cdnjs.cloudflare.com/ajax/libs/react/
would allow React to be loaded.Our pentester has pointed out that if our CSP contains a path like:
https://cdnjs.cloudflare.com/ajax/libs/react/
, then while in theory you couldn't load Angular, you can because you can use..%2F
like this:https://cdnjs.cloudflare.com/ajax/libs/react/a/..%2F..%2Fangular.js/1.8.0/angular.js
Can a change be made to prevent path traversal to allow our CSP to block to work?
custom-elements-builder missing latest version
package.json and api worker say the latest version is 1.0.4. This version does not exist on disk or in cdnjs/cdnjs.
Maybe we should manually correct to the latest version we have on disk and in the repo here (0.3.4). The version 1.0.4 exists, but we do not have it.
Add Enforce-CT header
I noticed you are moving to HSTS and even submitted yourself for the browser preload list and thought I would suggest adding key pinning as well.
There are ~1.5K entities that can issue an HTTPS certificate for any website and even Comodo was hacked by a script kiddie. Certificate authorities issue certs based on the ability to receive an email, create a DNS record, or embed some HTML in a page ... so you also have to trust every network operator for every certificate authority.
Key pinning (ala HPKP) mitigates the issue by binding trust to a specific key. There is also an HPKP browser preload list. Cloudflare appears to have HPKP turned on for their main site, but not for their API servers....
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.