CheckTick self-hosts critical frontend libraries and enforces Subresource Integrity (SRI).
Why self-host?
- Security: SRI hashes verify file integrity and mitigate CDN compromise risk.
- Privacy: no third-party CDN tracking.
- Reliability: no runtime dependency on external CDN availability.
- Performance: same-origin serving can reduce connection overhead.
Single source of truth
CDN asset metadata is maintained in:
checktick_app/cdn_assets.json
This includes each asset's:
- package name
- pinned version
- static target file path
- source path inside the npm package
- SRI hash
Templates read SRI values from this manifest via template context (cdn_assets.*.sri), so hashes are no longer duplicated in template files.
Libraries
| Library | Version | File | Purpose |
|---|---|---|---|
| HTMX | 2.0.10 | checktick_app/static/js/htmx.min.js |
Dynamic HTML updates without JavaScript |
| SortableJS | 1.15.7 | checktick_app/static/js/sortable.min.js |
Drag-and-drop reordering |
| axe-core | 4.12.1 | checktick_app/static/js/axe-core.min.js |
WCAG accessibility testing |
| ReDoc | 2.5.3 | checktick_app/static/js/redoc.standalone.min.js |
OpenAPI interactive documentation |
| NHS Frontend | 8.1.0 | checktick_app/static/css/nhsuk-frontend.min.css |
NHS design system styling |
SRI hashes
Current SHA-384 SRI values:
HTMX 2.0.10
sha384-q2oWHKMnJry5BOtYUZkXcyieUmqzXIjdmKDYicmMspegPENZr4UrGc656JYEgJoo
SortableJS 1.15.7
sha384-pAVIuzMQbJcj7JX9XYTtp8sSNh3OvFXn0g9ldX+lANHPoXFdYVKw/2G1gS/eU62A
axe-core 4.12.1
sha384-BdMxweAM6a5IkRxVOGXhKT5nagnyiRc1i78hWgYKq7oOcHRcKBNtbeufhvCSqldt
ReDoc 2.5.3
sha384-wGl2vRYcqJBa50CzY6euuShOQuBMr6jGCJwEZd2GpPR6Ht+9GDtNpAPpA5QAr7GJ
NHS Frontend 8.1.0
sha384-IDDaUjZThM1cVGH55y4Yzz7YTgr55yuHEQYOnf3Hx0jpArWS5CgFIKTnSl6CHKbx
The two sections above are generated from
checktick_app/cdn_assets.jsonbys/sync-cdn-docs.
Automation
Workflow
| Workflow | File | Schedule |
|---|---|---|
| CDN libraries check | .github/workflows/update-cdn-libraries.yml |
Monday 9:30am UTC |
Updater scripts
s/update-cdn-assetsโ update one asset from npm, refresh manifest SRI/version, sync docs, append compliance log.s/sync-cdn-docsโ regenerate docs sections from the manifest only.
Manual update process
Preferred path:
s/update-cdn-assets
Useful modes:
# preview only
s/update-cdn-assets --dry-run
# non-interactive update of a specific asset
s/update-cdn-assets --yes --key axe_core
# sync docs from manifest without changing assets
python3 s/sync-cdn-docs
Upgrading versions
When upgrading a CDN library:
- Update from one place: use
s/update-cdn-assets(or editchecktick_app/cdn_assets.jsondirectly if needed). - Sync generated docs:
python3 s/sync-cdn-docs(automatically run bys/update-cdn-assets). - Record compliance entry:
- security/CVE-driven:
docs/compliance/vulnerability-patch-log.md - routine non-security maintenance:
docs/compliance/infrastructure-technical-change-log.md
Then run validation (s/test --no-a11y) before PR.
Troubleshooting
SRI mismatch
If a library fails to load due to SRI mismatch:
- Re-download via
npm pack(or reruns/update-cdn-assets). - Recompute/update hash in
checktick_app/cdn_assets.json. - Sync docs with
python3 s/sync-cdn-docs. - Clear browser cache and re-test.
CDN unavailable
Because assets are self-hosted, runtime app availability is unaffected by CDN outages.
CDN sources
| Library | Primary source | Alternative |
|---|---|---|
| HTMX | unpkg.com | jsdelivr.net |
| SortableJS | jsdelivr.net | unpkg.com |
| axe-core | cdnjs.cloudflare.com | unpkg.com |
| ReDoc | npm registry (redoc) | cdn.redoc.ly |
| NHS Frontend | jsdelivr.net | unpkg.com |