Document versioned widget URL and SRI hashes for secure embedding

[VisLab]

Problem

When embedding osa-chat-widget.js, the documented URL is:

<script src="https://osa-demo.pages.dev/osa-chat-widget.js" crossorigin="anonymous" ...></script>

This URL has two security problems for production embedders:

1. No version pin — the file can change at any time without the embedder's knowledge, silently shipping new code into their site.
2. No SRI hash — without a integrity= attribute, browsers cannot verify the script hasn't been tampered with or replaced (supply-chain attack).

GitHub is becoming more aggressive/proactive about using security hashes.

What we found:

The widget file is available via jsDelivr using the git tag, which does give a stable versioned URL:

https://cdn.jsdelivr.net/gh/OpenScience-Collective/osa@v0.8.1/frontend/osa-chat-widget.js

This lets embedders pin to a release and add a proper SRI hash:

<script src="https://cdn.jsdelivr.net/gh/OpenScience-Collective/osa@v0.8.1/frontend/osa-chat-widget.js"        integrity="sha384-Q4cfPF5pAgQiTVq0eej4ljCdD5HQJKJUVHJk/FLyVIr6gwvP1Wex8FQ3kji5bLtk"        crossorigin="anonymous"        defer></script>

Request/Solution

Please consider one or more of the following:

1. Document the jsDelivr versioned URL as the recommended embedding approach in the README or widget docs.
2. Publish the SRI hash for each release in the release notes (it can be generated with python -c "import urllib.request,hashlib,base64; c=urllib.request.urlopen('URL').read(); print('sha384-'+base64.b64encode(hashlib.sha384(c).digest()).decode())").
3. Serve a versioned path from your own CDN — e.g. osa-demo.pages.dev/v0.8.1/osa-chat-widget.js — so embedders don't have to depend on jsDelivr.

This is particularly relevant for projects that follow supply-chain security policies (e.g., OWASP, GitHub's hardened runner guidance).