Hello, from today I found that when accessing cdnjs, the server will respond 404 or the response header will lack access-control-allow-origin: * header. For example, my web app just made a request to https://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js, then get the response header under:

cache-control    public, max-age=14400
cf-cache-status    HIT
cf-ray    48d1a6325e2245ae-TPE
content-encoding    br
content-type    text/html
date    Sat, 22 Dec 2018 09:44:19 GMT
expect-ct    max-age=604800, report-uri="ht….com/cdn-cgi/beacon/expect-ct"
expires    Sat, 22 Dec 2018 13:44:19 GMT
served-in-seconds    0.000
server    cloudflare
strict-transport-security    max-age=15780000; includeSubDomains
vary    Accept-Encoding
X-Firefox-Spdy    h2

Since it lacks access-control-allow-origin: * header, the script is not loaded and my web app is broken.

Problematic files are quite random, when I access the same file in a different time it's sometimes good and sometimes bad. Also, it seems like depending on client's network, the frequency also differs.

On my mobile network this issue never happens, but in my company, it happens frequently, and in a VM it's 100%. (Always some URLs are broken)

Is there some maintenance or server issue affecting particular routes or? Thank you very much!

Pull request for issue: # Related issue(s): # #

Checklist for Pull request or lib adding request issue follows the conventions.

Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.

Profile of the lib

• Git repository (required):https://github.com/brianreavis/microplugin.js
• Official website (optional, not the repository):
• NPM package url (optional):https://www.npmjs.com/package/microplugin
• License and its reference:
• GitHub / Bitbucket popularity (required):
  • Count of watchers:
  • Count of stars:
  • Count of forks:
• NPM download stats (optional):
  • Downloads in the last day:
  • Downloads in the last week:
  • Downloads in the last month:

Essential checklist

• [ ] I'm the author of this library
  • [ ] I would like to add link to the page of this library on CDNJS on website / readme
• [x] This lib was not found on cdnjs repo
• [x] No already exist / duplicated issue and PR
• [x] The lib has notable popularity
  • [x] More than 100 [Stars / Watchers / Forks] on [GitHub / Bitbucket]
  • [x] More than 500 downloads stats per month on npm registry
• [x] Project has public repository on famous online hosting platform (or been hosted on npm)

Auto-update checklist

• [x] Has valid tags for each versions (for git auto-update)
• [x] Auto-update setup
• [x] Auto-update target/source is valid.
• [x] Auto-update filemap is correct.

Git commit checklist

• [x] The first line of commit message is less then 50 chars, be clean and clear, easy to understand.
• [ ] The parent of the commit(s) in the PR is not old than 3 days.
• [x] Pull request is sending from a non-master branch with meaningful name.
• [x] Separate unrelated changes into different commits.
• [ ] Use rebase to squash/fixup dummy/unnecessary commits into only one commit.
• [x] Close corresponding issue in commit message
• [x] Mention related issue(s), people in commit message, comment.

Hey guys,

We are going to try switch the project to be fully automated. This will take a bit of time and will be a bit rocky at the beginning but will save every bodies time.

We currently have two auto update systems, the old one which uses NPM and will remain active until we transfer it. And a new one that uses git tags. The new one is what we will use by default but it doesn't support NPM just yet so we can only add new auto update scripts for git. We can also add the old style NPM ones I will just transfer them at a later date.

  "autoupdate": {
    "source": "git",
    "target": "git://github.com/jashkenas/underscore.git",
    "basePath": "",
    "files": [
      "underscore-min.js",
      "underscore-min.map",
      "underscore.js"
    ]
  },

During this process, I think it's best if only I merge PR's to make sure we don't cause too many problems at once. I still need to write up documentation. So from this point on don't merge any new libraries into cdnjs. @drewfreyling @PeterDaveHello @ryankirkman

git repo url: https://github.com/amcharts/amcharts3 Watch 4 Star 7 Fork 3 @Amomo could u help me check this PR for #5337 ? thank you!

• [ ] Not found on cdnjs repo
• [x] No already exist issue and PR
• [ ] Notable popularity
• [x] Project has public repository on famous online hosting platform (or been hosted on npm)
• [x] Has valid tags for each versions (for git auto-update)
• [x] Auto-update setup
• [x] Auto-update target/source is valid.
• [x] Auto-update filemap is correct

Pull request for issue: #10184 Related issue(s): # #

Checklist for Pull request or lib adding request issue follows the conventions.

Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.

Profile of the lib

• Git repository (required): https://github.com/sagalbot/vue-select
• Official website (optional, not the repository): https://sagalbot.github.io/vue-select/
• NPM package url (optional): https://www.npmjs.com/package/vue-select
• License and its reference: MIT https://github.com/sagalbot/vue-select/blob/master/LICENSE.md
• GitHub / Bitbucket popularity (required):
  • Count of watchers: 28
  • Count of stars: 682
  • Count of forks: 69
• NPM download stats (optional):
  • Downloads in the last day: 37
  • Downloads in the last week: 253
  • Downloads in the last month: 956

Essential checklist

• [ ] I'm the author of this library
  • [ ] I would like to add link to the page of this library on CDNJS on website / readme
• [x] This lib was not found on cdnjs repo
• [x] No already exist / duplicated issue and PR
• [x] The lib has notable popularity
  • [x] More than 100 [Stars / Watchers / Forks] on [GitHub / Bitbucket]
  • [x] More than 500 downloads stats per month on npm registry
• [ ] Project has public repository on famous online hosting platform (or been hosted on npm)

Auto-update checklist

• [x] Has valid tags for each versions (for git auto-update)
• [x] Auto-update setup
• [x] Auto-update target/source is valid.
• [x] Auto-update filemap is correct.

Git commit checklist

• [x] The first line of commit message is less then 50 chars, be clean and clear, easy to understand.
• [x] The parent of the commit(s) in the PR is not old than 3 days.
• [x] Pull request is sending from a non-master branch with meaningful name.
• [x] Separate unrelated changes into different commits.
• [x] Use rebase to squash/fixup dummy/unnecessary commits into only one commit.
• [x] Close corresponding issue in commit message
• [x] Mention related issue(s), people in commit message, comment.

Library name: videojs-markers Git repository url: https://github.com/spchuang/videojs-markers License(s): MIT Official homepage: http://sampingchuang.com/videojs-markers

In this issue, we are going to host a new web front-end library on cdnjs, so that web developer can easily use it on our free CDN without additional download/upload process 🚀 .

If you'll like to work locally, I'll suggest you start with sparseCheckout: https://github.com/cdnjs/cdnjs/blob/master/documents/sparseCheckout.md, since there are too many files in this repo, without sparseCheckout, the whole process will be super slow, using git command line can learn more skills and experience, if you don't like that, instead, you can also just do it on GitHub, it's more convenient, but it may be a little bit harder to fix problems on GitHub gui.

Here are the docs about how to add a library:

• https://github.com/cdnjs/cdnjs#adding-a-new-or-updating-an-existing-library
• https://github.com/cdnjs/cdnjs/blob/master/.github/CONTRIBUTING.md#d-adding-a-new-library

We'll also ask to setup auto-update config so that the added libraries can be updated to the latest version easily:

• https://github.com/cdnjs/cdnjs/blob/master/documents/autoupdate.md

For beginners who is interested in join and help add this library, please feel free to tell me what kind of help you'll need, we'll help you send the valid pull request, thanks 😄 .

cc #5194, https://github.com/cdnjs/new-website/issues/66

Should be care of the libs with multiple licenses, especially the libs have commercial license.

• [ ] 1140
• [x] across-tabs
• [ ] animations
• [ ] boexfi
• [x] browser-logos
• [ ] chrome-frame
• [x] cryptico
• [x] davis.js
• [x] DinaKit
• [x] documentup
• [x] entypo
• [x] expect.js
• [x] flipCounter
• [x] foundicons
• [x] galleriffic
• [x] gsap
• [ ] jcalculator
• [x] jquery-hashchange
• [x] jquery-outside-events
• [x] jquery-parallax
• [x] jquery-sparklines
• [x] jquery-tools
• [x] jquery.activity-indicator
• [x] jquery.formalize
• [x] jquery.lifestream
• [x] jquery.percentageloader
• [x] jquery.postcodify
• [x] jquery.selectboxit
• [x] jquery.socialshareprivacy
• [x] jquery.tiptip
• [x] json2
• [x] legojs
• [x] linq.js
• [x] log4javascript
• [ ] luminateExtend
• [x] meyer-reset
• [ ] mojio-js
• [x] openajax-hub
• [x] PKI.js
• [x] polyglot
• [x] prettydiff
• [ ] probtn
• [x] prototype
• [x] protovis
• [x] react-chartjs-2
• [x] repo.js
• [x] require-cs
• [x] require-jquery
• [x] roundabout
• [x] salesforce-canvas
• [x] script.js
• [x] simplecartjs
• [x] skel-layers
• [x] skycons
• [x] slabText
• [x] thorax
• [x] Vague.js
• [ ] webicons

cc #10036, cc @6pac , @mleibman @kennynaoh please help me review this PR, thank you.

Pull request for issue: #10036 Related issue(s): # #

Checklist for Pull request or lib adding request issue follows the conventions.

Note that if you are using a distribution purpose repository/package, please also provide the url and other related info like popularity of the source code repo/package.

Profile of the lib

• Git repository (required): https://github.com/6pac/SlickGrid
• Official website (optional, not the repository): http://wiki.github.com/6pac/SlickGrid
• NPM package url (optional): https://www.npmjs.com/package/slickgrid
• License and its reference: MIT
• GitHub / Bitbucket popularity (required):
  • Count of watchers: 61
  • Count of stars: 382
  • Count of forks: 2011
• NPM download stats (optional):
  • Downloads in the last day: 98
  • Downloads in the last week: 404
  • Downloads in the last month: 1579

Essential checklist

• [ ] I'm the author of this library
  • [ ] I would like to add link to the page of this library on CDNJS on website / readme
• [x] This lib was not found on cdnjs repo
• [x] No already exist / duplicated issue and PR
• [x] The lib has notable popularity
  • [x] More than 100 [Stars / Watchers / Forks] on [GitHub / Bitbucket]
  • [x] More than 500 downloads stats per month on npm registry
• [ ] Project has public repository on famous online hosting platform (or been hosted on npm)

Auto-update checklist

• [x] Has valid tags for each versions (for git auto-update)
• [x] Auto-update setup
• [x] Auto-update target/source is valid.
• [x] Auto-update filemap is correct.

Git commit checklist

• [x] The first line of commit message is less then 50 chars, be clean and clear, easy to understand.
• [x] The parent of the commit(s) in the PR is not old than 3 days.
• [x] Pull request is sending from a non-master branch with meaningful name.
• [x] Separate unrelated changes into different commits.
• [x] Use rebase to squash/fixup dummy/unnecessary commits into only one commit.
• [x] Close corresponding issue in commit message
• [x] Mention related issue(s), people in commit message, comment.

git repo url: https://github.com/mohayonao/timbre.js Watch 59 Star 611 Fork 50 @Piicksarn could u help me check this PR for #6110 ? thank you!

• [x] Not found on cdnjs repo
• [x] No already exist issue and PR
• [x] Notable popularity
• [x] Project has public repository on famous online hosting platform (or been hosted on npm)
• [x] Has valid tags for each versions (for git auto-update)
• [x] Auto-update setup
• [x] Auto-update target/source is valid.
• [x] Auto-update filemap is correct

@cdnjs/intern2 Please help me review this PR, thanks!

Pull request for issue: #10881 It's a high priority issue.

• Git repository (required): https://github.com/kjur/jsrsasign
• NPM package url (optional): https://www.npmjs.com/package/jsrsasign
• GitHub / Bitbucket popularity (required): Watch 69 Star 989 Fork 185
• NPM download stats (optional): 3,948 downloads in the last day 20,858 downloads in the last week 95,937 downloads in the last month

Over the past several days I have noticed some pretty lengthy delays waiting for the server at cdnjs.org to respond to whatever request has been sent from Chrome and Chromium browsers. There appear to be no such delays with Opera or Firefox. I don't know if this is an issue with the cdnjs servers or with the Chrome code. If I can provide any additional information please let me know.

Chromium: Version 41.0.2272.76 Built on Ubuntu 14.04, running on LinuxMint 17.1 (64-bit)

I'm seeing some quite odd behaviour with the ipaddr.js library:

Firstly, here is the correct SRI hash for [email protected]. I've crosschecked this between the original file in the source project, the file served by cdnjs, and the same file served by another CDN and they all match.

sha512-HLkOIPULXMWy1Z/SOoR5PWofAu7iM5OwJqMMkCiqGR+wijlXbRj+D3jeBTK6XjyO43vWvBVgQyFyhCDi+Pztdg==

When I go to the library's page on the cdnjs website, the "Copy SRI Hash" and "Copy Script Tag" buttons both provide this hash:

sha512-GcJ0uemx9BQwsZusgXAGzw6/BDAkqt0EUbtq8QAtTuDlAa3AVQ0zb+Zg9xqY4yXP47CHBv2pO1V0D78gtWYNgw==

I have also just confirmed this behaviour via a VPN to the UK, so it doesn't seem to just be a cached invalid value in my local CF edge.

Hey, @cdnjs team. I have a suggesting regarding hits. We can have a item in the api response json regarding hits. JsDelivr also provides an api and It is widely used for badges like . Likewise If cdnjs.com also has a similar api it would be really useful

If someone wants to put a module on CDNJS, then currently when clicking "Copy script tag" it turns out something like this:

<script src="https://cdnjs_url_here"></script>

what if in the json files describing the file, we could also add other attributes, e.g.

//Other JSON stuff here
"filemap": [
  {
      //I forgot how the proper way is to add files to CDNJS that should be tracked, sorry!
      // normal stuff here, like file location and stuff
      "attributes": {
            "type": "module",
            "async": "true",
            "defer": "true",
      }
  }
]
//More JSON stuff

Now clicking "copy script tag" would do this for the file in question:

<script src="https://cdnjs_url_here" async defer type="module"></script>

(oh, and of course only certain attributes would be whitelisted, so that people can't do onerror, or onload)

We would like to use cdnjs.com for serving our assets, and we would like to use a Content Security Policy (CSP) as part of our security strategy to limit access to only libraries we want, e.g. React and not those we don't that can be used to bypass CSP and run an exploit like Angular.

E.g. script-src: https://cdnjs.cloudflare.com/ajax/libs/react/ would allow React to be loaded.

Our pentester has pointed out that if our CSP contains a path like: https://cdnjs.cloudflare.com/ajax/libs/react/, then while in theory you couldn't load Angular, you can because you can use ..%2F like this:

https://cdnjs.cloudflare.com/ajax/libs/react/a/..%2F..%2Fangular.js/1.8.0/angular.js

Can a change be made to prevent path traversal to allow our CSP to block to work?

package.json and api worker say the latest version is 1.0.4. This version does not exist on disk or in cdnjs/cdnjs.

Maybe we should manually correct to the latest version we have on disk and in the repo here (0.3.4). The version 1.0.4 exists, but we do not have it.

I noticed you are moving to HSTS and even submitted yourself for the browser preload list and thought I would suggest adding key pinning as well.

There are ~1.5K entities that can issue an HTTPS certificate for any website and even Comodo was hacked by a script kiddie. Certificate authorities issue certs based on the ability to receive an email, create a DNS record, or embed some HTML in a page ... so you also have to trust every network operator for every certificate authority.

Key pinning (ala HPKP) mitigates the issue by binding trust to a specific key. There is also an HPKP browser preload list. Cloudflare appears to have HPKP turned on for their main site, but not for their API servers....