From bcc4b30f1b2d82670071388e127d9e69ab27480b Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Tue, 9 Sep 2025 11:52:21 +0200
Subject: [PATCH 1/7] Update index.html to include integrity hashes

---
 examples/graphiql-cdn/index.html | 34 ++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/examples/graphiql-cdn/index.html b/examples/graphiql-cdn/index.html
index 1fb5b7cef3..42325f7171 100644
--- a/examples/graphiql-cdn/index.html
+++ b/examples/graphiql-cdn/index.html
@@ -28,10 +28,17 @@
         font-size: 4rem;
       }
     </style>
-    <link rel="stylesheet" href="https://esm.sh/graphiql/dist/style.css" />
     <link
       rel="stylesheet"
-      href="https://esm.sh/@graphiql/plugin-explorer/dist/style.css"
+      href="https://esm.sh/graphiql@5.2.0/dist/style.css"
+      integrity="sha384-f6GHLfCwoa4MFYUMd3rieGOsIVAte/evKbJhMigNdzUf52U9bV2JQBMQLke0ua+2"
+      crossorigin="anonymous"
+    />
+    <link
+      rel="stylesheet"
+      href="https://esm.sh/@graphiql/plugin-explorer@5.1.1/dist/style.css"
+      integrity="sha384-vTFGj0krVqwFXLB7kq/VHR0/j2+cCT/B63rge2mULaqnib2OX7DVLUVksTlqvMab"
+      crossorigin="anonymous"
     />
     <!--
      * Note:
@@ -43,18 +50,25 @@
         "imports": {
           "react": "https://esm.sh/react@19.1.0",
           "react/": "https://esm.sh/react@19.1.0/",
-
           "react-dom": "https://esm.sh/react-dom@19.1.0",
           "react-dom/": "https://esm.sh/react-dom@19.1.0/",
-
-          "graphiql": "https://esm.sh/graphiql?standalone&external=react,react-dom,@graphiql/react,graphql",
-          "graphiql/": "https://esm.sh/graphiql/",
-          "@graphiql/plugin-explorer": "https://esm.sh/@graphiql/plugin-explorer?standalone&external=react,@graphiql/react,graphql",
-          "@graphiql/react": "https://esm.sh/@graphiql/react?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid",
-
-          "@graphiql/toolkit": "https://esm.sh/@graphiql/toolkit?standalone&external=graphql",
+          "graphiql": "https://esm.sh/graphiql@5.2.0?standalone&external=react,react-dom,@graphiql/react,graphql",
+          "graphiql/": "https://esm.sh/graphiql@5.2.0/",
+          "@graphiql/plugin-explorer": "https://esm.sh/@graphiql/plugin-explorer@5.1.1?standalone&external=react,@graphiql/react,graphql",
+          "@graphiql/react": "https://esm.sh/@graphiql/react@0.37.1?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid",
+          "@graphiql/toolkit": "https://esm.sh/@graphiql/toolkit@0.11.3?standalone&external=graphql",
           "graphql": "https://esm.sh/graphql@16.11.0",
           "@emotion/is-prop-valid": "data:text/javascript,"
+        },
+        "integrity": {
+          "https://esm.sh/react@19.1.0": "sha384-C3ApUaeHIj1v0KX4cY/+K3hQZ/8HcAbbmkw1gBK8H5XN4LCEguY7+A3jga11SaHF",
+          "https://esm.sh/react-dom@19.1.0": "sha384-CKiqgCWLo5oVMbiCv36UR0pLRrzeRKhw1jFUpx0j/XdZOpZ43zOHhjf8yjLNuLEy",
+          "https://esm.sh/graphiql@5.2.0": "sha384-iJccq+zsT06wL6UQ27mjQ6OoghntU/ZdWkOmza8f/iD4hVJXQOgZeH/230Pm2y3V",
+          "https://esm.sh/graphiql@5.2.0?standalone&external=react,react-dom,@graphiql/react,graphql": "sha384-32Vv0P2Qy9UWdE0/n9/nFmGh8tM5/vMgpAarsa+UdD6So+aS6DVBQZDIjS2lU52e",
+          "https://esm.sh/@graphiql/plugin-explorer": "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb",
+          "https://esm.sh/@graphiql/react@0.37.1?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid": "sha384-vbrVVt6MhT20iaS0B9nwXO210Cix1sSiP+RyMEdFGEj5ZHbXJz96XxtckeWTrnkd",
+          "https://esm.sh/@graphiql/toolkit@0.11.3?standalone&external=graphql": "sha384-ZsnupyYmzpNjF1Z/81zwi4nV352n4P7vm0JOFKiYnAwVGOf9twnEMnnxmxabMBXe",
+          "https://esm.sh/graphql@16.11.0": "sha384-uhRXaGfgCFqosYlwSLNd7XpDF9kcSUycv5yVbjjhH5OrE675kd0+MNIAAaSc+1Pi"
         }
       }
     </script>

From 9c3118d4f3761e0934ee3dbbd23a256a8fc3cfb5 Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Sun, 26 Oct 2025 21:43:06 -0500
Subject: [PATCH 2/7] create auto-updater for examples/graphiql-cdn/index.html

---
 .github/scripts/update-cdn-versions.mjs  | 93 ++++++++++++++++++++++++
 .github/workflows/update-cdn-example.yml | 61 ++++++++++++++++
 examples/graphiql-cdn/index.html         | 15 ++--
 resources/index.html.template            | 82 +++++++++++++++++++++
 4 files changed, 244 insertions(+), 7 deletions(-)
 create mode 100644 .github/scripts/update-cdn-versions.mjs
 create mode 100644 .github/workflows/update-cdn-example.yml
 create mode 100644 resources/index.html.template

diff --git a/.github/scripts/update-cdn-versions.mjs b/.github/scripts/update-cdn-versions.mjs
new file mode 100644
index 0000000000..b81e045b90
--- /dev/null
+++ b/.github/scripts/update-cdn-versions.mjs
@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+
+/**
+ * Generates examples/graphiql-cdn/index.html
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+
+const PACKAGES = [
+  'react',
+  'react-dom',
+  'graphiql',
+  '@graphiql/plugin-explorer',
+  '@graphiql/react',
+  '@graphiql/toolkit',
+  'graphql',
+];
+
+async function fetchIntegrityHash(url) {
+  const response = await fetch(url, { redirect: 'follow' });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
+  }
+  const content = await response.text();
+  const hash = crypto.createHash('sha384').update(content).digest('base64');
+  return [url, `sha384-${hash}`];
+}
+
+async function fetchLatestVersion(packageName) {
+  const url = `https://registry.npmjs.org/${packageName}/latest`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch ${packageName}: ${response.statusText}`);
+  }
+  const { version } = await response.json();
+  return [packageName, version]
+}
+
+async function main () {
+  const versions = Object.fromEntries(await Promise.all(PACKAGES.map(fetchLatestVersion)));
+  const cdnUrl = packageName => `https://esm.sh/${packageName}@${versions[packageName]}`;
+
+  // JS
+  const imports = {
+    'react': cdnUrl('react'),
+    'react/': `${cdnUrl('react-dom')}/`,
+    'react-dom': cdnUrl('react-dom'),
+    'react-dom/': `${cdnUrl('react-dom')}/`,
+    'graphiql': `${cdnUrl('graphiql')}?standalone&external=react,react-dom,@graphiql/react,graphql`,
+    'graphiql/': `${cdnUrl('graphiql')}/`,
+    '@graphiql/plugin-explorer': `${cdnUrl('@graphiql/plugin-explorer')}?standalone&external=react,@graphiql/react,graphql`,
+    '@graphiql/react': `${cdnUrl('@graphiql/react')}?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid`,
+    '@graphiql/toolkit': `${cdnUrl('@graphiql/toolkit')}?standalone&external=graphql`,
+    'graphql': cdnUrl('graphql'),
+    '@emotion/is-prop-valid': "data:text/javascript,"
+  };
+
+  const integrity = Object.fromEntries(await Promise.all([
+    cdnUrl('react'),
+    cdnUrl('react-dom'),
+    cdnUrl('graphiql'),
+    `${cdnUrl('graphiql')}?standalone&external=react,react-dom,@graphiql/react,graphql`,
+    cdnUrl('@graphiql/plugin-explorer'),
+    `${cdnUrl('@graphiql/react')}?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid`,
+    `${cdnUrl('@graphiql/toolkit')}?standalone&external=graphql`,
+    cdnUrl('graphql'),
+  ].map(fetchIntegrityHash)));
+
+  const importMap = { imports, integrity };
+
+  // CSS
+  const graphiqlCss = `${cdnUrl('graphiql')}/dist/style.css`;
+  const graphiqlPluginExplorer = `${cdnUrl('@graphiql/plugin-explorer')}/dist/style.css`;
+
+  // Generate index.html
+  const templatePath = path.join(import.meta.dirname, '../../resources/index.html.template');
+  const template = fs.readFileSync(templatePath, 'utf8');
+
+  const indent = lines => lines.split('\n').map(line => `      ${line}`).join('\n');
+
+  const output = template
+    .replace('{{IMPORTMAP}}', indent(JSON.stringify(importMap, null, 2)))
+    .replace('{{GRAPHIQL_CSS_URL}}', graphiqlCss)
+    .replace('{{GRAPHIQL_CSS_INTEGRITY}}', (await fetchIntegrityHash(graphiqlCss))[1])
+    .replace('{{PLUGIN_EXPLORER_CSS_URL}}', graphiqlPluginExplorer)
+    .replace('{{PLUGIN_EXPLORER_CSS_INTEGRITY}}', (await fetchIntegrityHash(graphiqlPluginExplorer))[1]);
+
+  console.log(output);
+}
+
+main();
diff --git a/.github/workflows/update-cdn-example.yml b/.github/workflows/update-cdn-example.yml
new file mode 100644
index 0000000000..e3b5991401
--- /dev/null
+++ b/.github/workflows/update-cdn-example.yml
@@ -0,0 +1,61 @@
+name: Update CDN Example Dependencies
+
+on:
+  schedule:
+    # Run every Monday at 10:00 UTC
+    - cron: '0 10 * * 1'
+  workflow_dispatch: # Allow manual triggering
+  repository_dispatch:
+    types: [update-cdn-dependencies]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-dependencies:
+    name: Check and Update CDN Dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Install Dependencies
+        run: npm install -g npm-check-updates semver
+
+      - name: Check for Updates and Update index.html
+        id: update
+        run: |
+          node .github/scripts/update-cdn-versions.mjs > examples/graphiql-cdn/index.html
+
+      - name: Check for Changes
+        id: check-changes
+        run: |
+          if git diff --quiet; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        if: steps.check-changes.outputs.has_changes == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore(cdn-example): update dependencies to latest versions'
+          title: 'chore(cdn-example): update dependencies to latest versions'
+          body: |
+            This PR automatically updates the CDN example dependencies to their latest versions.
+
+            🤖 This PR was automatically generated automatically, beep boop
+          branch: automated/update-cdn-dependencies
+          delete-branch: true
+          labels: |
+            dependencies
+            automated
diff --git a/examples/graphiql-cdn/index.html b/examples/graphiql-cdn/index.html
index 42325f7171..25405fbf51 100644
--- a/examples/graphiql-cdn/index.html
+++ b/examples/graphiql-cdn/index.html
@@ -48,10 +48,10 @@
     <script type="importmap">
       {
         "imports": {
-          "react": "https://esm.sh/react@19.1.0",
-          "react/": "https://esm.sh/react@19.1.0/",
-          "react-dom": "https://esm.sh/react-dom@19.1.0",
-          "react-dom/": "https://esm.sh/react-dom@19.1.0/",
+          "react": "https://esm.sh/react@19.2.0",
+          "react/": "https://esm.sh/react-dom@19.2.0/",
+          "react-dom": "https://esm.sh/react-dom@19.2.0",
+          "react-dom/": "https://esm.sh/react-dom@19.2.0/",
           "graphiql": "https://esm.sh/graphiql@5.2.0?standalone&external=react,react-dom,@graphiql/react,graphql",
           "graphiql/": "https://esm.sh/graphiql@5.2.0/",
           "@graphiql/plugin-explorer": "https://esm.sh/@graphiql/plugin-explorer@5.1.1?standalone&external=react,@graphiql/react,graphql",
@@ -61,11 +61,11 @@
           "@emotion/is-prop-valid": "data:text/javascript,"
         },
         "integrity": {
-          "https://esm.sh/react@19.1.0": "sha384-C3ApUaeHIj1v0KX4cY/+K3hQZ/8HcAbbmkw1gBK8H5XN4LCEguY7+A3jga11SaHF",
-          "https://esm.sh/react-dom@19.1.0": "sha384-CKiqgCWLo5oVMbiCv36UR0pLRrzeRKhw1jFUpx0j/XdZOpZ43zOHhjf8yjLNuLEy",
+          "https://esm.sh/react@19.2.0": "sha384-nOZt6fKb998R5rObOHPrlA6K4MfsPJA1SM1RF6XLKrCs7R7DRWe1QMpy9pFMCd7u",
+          "https://esm.sh/react-dom@19.2.0": "sha384-g9QErJ4ghsQsmmARwwncWld1ANkSBgPJme9hzmI2Vmq4+iZDrt3tq9hu1iwQI2xG",
           "https://esm.sh/graphiql@5.2.0": "sha384-iJccq+zsT06wL6UQ27mjQ6OoghntU/ZdWkOmza8f/iD4hVJXQOgZeH/230Pm2y3V",
           "https://esm.sh/graphiql@5.2.0?standalone&external=react,react-dom,@graphiql/react,graphql": "sha384-32Vv0P2Qy9UWdE0/n9/nFmGh8tM5/vMgpAarsa+UdD6So+aS6DVBQZDIjS2lU52e",
-          "https://esm.sh/@graphiql/plugin-explorer": "sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb",
+          "https://esm.sh/@graphiql/plugin-explorer@5.1.1": "sha384-KrkvikOOZWjeIeO92D9EDOJQQ7QI7LQPDQrBqloLwTVOz4jNXTPfYA1PYOpI8/UI",
           "https://esm.sh/@graphiql/react@0.37.1?standalone&external=react,react-dom,graphql,@graphiql/toolkit,@emotion/is-prop-valid": "sha384-vbrVVt6MhT20iaS0B9nwXO210Cix1sSiP+RyMEdFGEj5ZHbXJz96XxtckeWTrnkd",
           "https://esm.sh/@graphiql/toolkit@0.11.3?standalone&external=graphql": "sha384-ZsnupyYmzpNjF1Z/81zwi4nV352n4P7vm0JOFKiYnAwVGOf9twnEMnnxmxabMBXe",
           "https://esm.sh/graphql@16.11.0": "sha384-uhRXaGfgCFqosYlwSLNd7XpDF9kcSUycv5yVbjjhH5OrE675kd0+MNIAAaSc+1Pi"
@@ -104,3 +104,4 @@
     </div>
   </body>
 </html>
+
diff --git a/resources/index.html.template b/resources/index.html.template
new file mode 100644
index 0000000000..14715483f8
--- /dev/null
+++ b/resources/index.html.template
@@ -0,0 +1,82 @@
+<!--
+ *  Copyright (c) 2025 GraphQL Contributors
+ *  All rights reserved.
+ *
+ *  This source code is licensed under the license found in the
+ *  LICENSE file in the root directory of this source tree.
+-->
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>GraphiQL 5 with React 19 and GraphiQL Explorer</title>
+    <style>
+      body {
+        margin: 0;
+      }
+
+      #graphiql {
+        height: 100dvh;
+      }
+
+      .loading {
+        height: 100%;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+        font-size: 4rem;
+      }
+    </style>
+    <link
+      rel="stylesheet"
+      href="{{GRAPHIQL_CSS_URL}}"
+      integrity="{{GRAPHIQL_CSS_INTEGRITY}}"
+      crossorigin="anonymous"
+    />
+    <link
+      rel="stylesheet"
+      href="{{PLUGIN_EXPLORER_CSS_URL}}"
+      integrity="{{PLUGIN_EXPLORER_CSS_INTEGRITY}}"
+      crossorigin="anonymous"
+    />
+    <!--
+     * Note:
+     * The ?standalone flag bundles the module along with all of its `dependencies`, excluding `peerDependencies`, into a single JavaScript file.
+     * `@emotion/is-prop-valid` is a shim to remove the console error ` module "@emotion /is-prop-valid" not found`. Upstream issue: https://github.com/motiondivision/motion/issues/3126
+    -->
+    <script type="importmap">
+{{IMPORTMAP}}
+    </script>
+    <script type="module">
+      import React from 'react';
+      import ReactDOM from 'react-dom/client';
+      import { GraphiQL, HISTORY_PLUGIN } from 'graphiql';
+      import { createGraphiQLFetcher } from '@graphiql/toolkit';
+      import { explorerPlugin } from '@graphiql/plugin-explorer';
+      import 'graphiql/setup-workers/esm.sh';
+
+      const fetcher = createGraphiQLFetcher({
+        url: 'https://countries.trevorblades.com',
+      });
+      const plugins = [HISTORY_PLUGIN, explorerPlugin()];
+
+      function App() {
+        return React.createElement(GraphiQL, {
+          fetcher,
+          plugins,
+          defaultEditorToolsVisibility: true,
+        });
+      }
+
+      const container = document.getElementById('graphiql');
+      const root = ReactDOM.createRoot(container);
+      root.render(React.createElement(App));
+    </script>
+  </head>
+  <body>
+    <div id="graphiql">
+      <div class="loading">Loading…</div>
+    </div>
+  </body>
+</html>

From bc4c6ee94cef32af9e213881675f07978ed2f828 Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Mon, 27 Oct 2025 08:40:22 -0500
Subject: [PATCH 3/7] Trim update-cdn-example.yml workflow

---
 .github/workflows/update-cdn-example.yml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/update-cdn-example.yml b/.github/workflows/update-cdn-example.yml
index e3b5991401..fb30a4189f 100644
--- a/.github/workflows/update-cdn-example.yml
+++ b/.github/workflows/update-cdn-example.yml
@@ -5,8 +5,6 @@ on:
     # Run every Monday at 10:00 UTC
     - cron: '0 10 * * 1'
   workflow_dispatch: # Allow manual triggering
-  repository_dispatch:
-    types: [update-cdn-dependencies]
 
 permissions:
   contents: write
@@ -26,11 +24,8 @@ jobs:
         with:
           node-version: '22'
 
-      - name: Install Dependencies
-        run: npm install -g npm-check-updates semver
-
-      - name: Check for Updates and Update index.html
-        id: update
+      - name: Generate index.html
+        id: generate
         run: |
           node .github/scripts/update-cdn-versions.mjs > examples/graphiql-cdn/index.html
 
@@ -54,7 +49,7 @@ jobs:
             This PR automatically updates the CDN example dependencies to their latest versions.
 
             🤖 This PR was automatically generated automatically, beep boop
-          branch: automated/update-cdn-dependencies
+          branch: automated/update-cdn-example-dependencies
           delete-branch: true
           labels: |
             dependencies

From 5ce84f31241a607a6fa2dcc4f92cdee7b31a1c1c Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Mon, 27 Oct 2025 08:43:44 -0500
Subject: [PATCH 4/7] trigger for releases

---
 .github/workflows/update-cdn-example.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-cdn-example.yml b/.github/workflows/update-cdn-example.yml
index fb30a4189f..59b762b58f 100644
--- a/.github/workflows/update-cdn-example.yml
+++ b/.github/workflows/update-cdn-example.yml
@@ -5,6 +5,8 @@ on:
     # Run every Monday at 10:00 UTC
     - cron: '0 10 * * 1'
   workflow_dispatch: # Allow manual triggering
+  release:
+    types: [released]
 
 permissions:
   contents: write

From e3f35f7dee1d8c091cef0f0611c9b8f67f80312c Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Mon, 27 Oct 2025 09:00:55 -0500
Subject: [PATCH 5/7] tidy up .github/scripts/update-cdn-versions.mjs

---
 .github/scripts/update-cdn-versions.mjs | 48 +++++++++++++++++--------
 1 file changed, 34 insertions(+), 14 deletions(-)

diff --git a/.github/scripts/update-cdn-versions.mjs b/.github/scripts/update-cdn-versions.mjs
index b81e045b90..060b5ff582 100644
--- a/.github/scripts/update-cdn-versions.mjs
+++ b/.github/scripts/update-cdn-versions.mjs
@@ -18,16 +18,14 @@ const PACKAGES = [
   'graphql',
 ];
 
-async function fetchIntegrityHash(url) {
-  const response = await fetch(url, { redirect: 'follow' });
-  if (!response.ok) {
-    throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
-  }
-  const content = await response.text();
-  const hash = crypto.createHash('sha384').update(content).digest('base64');
-  return [url, `sha384-${hash}`];
-}
-
+/**
+ * Given the name of an npm package, return a tuple of: [name, latest version]
+ *
+ * @example
+ *
+ *   fetchLatestVersion('left-pad')
+ *   => ['left-pad', '1.0.1']
+ */
 async function fetchLatestVersion(packageName) {
   const url = `https://registry.npmjs.org/${packageName}/latest`;
   const response = await fetch(url);
@@ -38,6 +36,24 @@ async function fetchLatestVersion(packageName) {
   return [packageName, version]
 }
 
+/**
+ * Given the url of a file, return a tuple of: [url, sha384]
+ *
+ * @example
+ *
+ *   fetchLatestVersion('https://esm.sh/left-pad/lib/index.js')
+ *   => ['https://esm.sh/left-pad/lib/index.js', 'sha-384-deadbeef123']
+ */
+async function fetchIntegrityHash(url) {
+  const response = await fetch(url, { redirect: 'follow' });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch ${url}: ${response.statusText}`);
+  }
+  const content = await response.text();
+  const hash = crypto.createHash('sha384').update(content).digest('base64');
+  return [url, `sha384-${hash}`];
+}
+
 async function main () {
   const versions = Object.fromEntries(await Promise.all(PACKAGES.map(fetchLatestVersion)));
   const cdnUrl = packageName => `https://esm.sh/${packageName}@${versions[packageName]}`;
@@ -68,24 +84,28 @@ async function main () {
     cdnUrl('graphql'),
   ].map(fetchIntegrityHash)));
 
-  const importMap = { imports, integrity };
+  let importMap = JSON.stringify({ imports, integrity }, null, 2);
 
   // CSS
   const graphiqlCss = `${cdnUrl('graphiql')}/dist/style.css`;
+  const graphiqlCssHash = (await fetchIntegrityHash(graphiqlCss))[1];
   const graphiqlPluginExplorer = `${cdnUrl('@graphiql/plugin-explorer')}/dist/style.css`;
+  const graphiqlPluginExplorerHash = (await fetchIntegrityHash(graphiqlPluginExplorer))[1];
 
   // Generate index.html
   const templatePath = path.join(import.meta.dirname, '../../resources/index.html.template');
   const template = fs.readFileSync(templatePath, 'utf8');
 
+  // Indent import map to be correctly formatted in index.html
   const indent = lines => lines.split('\n').map(line => `      ${line}`).join('\n');
+  importMap = indent(importMap);
 
   const output = template
-    .replace('{{IMPORTMAP}}', indent(JSON.stringify(importMap, null, 2)))
+    .replace('{{IMPORTMAP}}', importMap)
     .replace('{{GRAPHIQL_CSS_URL}}', graphiqlCss)
-    .replace('{{GRAPHIQL_CSS_INTEGRITY}}', (await fetchIntegrityHash(graphiqlCss))[1])
+    .replace('{{GRAPHIQL_CSS_INTEGRITY}}', graphiqlCssHash)
     .replace('{{PLUGIN_EXPLORER_CSS_URL}}', graphiqlPluginExplorer)
-    .replace('{{PLUGIN_EXPLORER_CSS_INTEGRITY}}', (await fetchIntegrityHash(graphiqlPluginExplorer))[1]);
+    .replace('{{PLUGIN_EXPLORER_CSS_INTEGRITY}}', graphiqlPluginExplorerHash);
 
   console.log(output);
 }

From 5cd5ae532429b2c17cb9669e024c5ed5b1336e5a Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Mon, 27 Oct 2025 09:01:58 -0500
Subject: [PATCH 6/7] Update update-cdn-versions.mjs

---
 .github/scripts/update-cdn-versions.mjs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/scripts/update-cdn-versions.mjs b/.github/scripts/update-cdn-versions.mjs
index 060b5ff582..38aeaf3560 100644
--- a/.github/scripts/update-cdn-versions.mjs
+++ b/.github/scripts/update-cdn-versions.mjs
@@ -42,7 +42,7 @@ async function fetchLatestVersion(packageName) {
  * @example
  *
  *   fetchLatestVersion('https://esm.sh/left-pad/lib/index.js')
- *   => ['https://esm.sh/left-pad/lib/index.js', 'sha-384-deadbeef123']
+ *   => ['https://esm.sh/left-pad/lib/index.js', 'sha384-deadbeef123']
  */
 async function fetchIntegrityHash(url) {
   const response = await fetch(url, { redirect: 'follow' });

From d3f1bb6fa841e2e7fd4fe86cb622d109f682fc04 Mon Sep 17 00:00:00 2001
From: Mark Larah <mark@larah.me>
Date: Mon, 27 Oct 2025 09:04:40 -0500
Subject: [PATCH 7/7] update workflow deps

---
 .github/workflows/update-cdn-example.yml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/update-cdn-example.yml b/.github/workflows/update-cdn-example.yml
index 59b762b58f..fff13b5079 100644
--- a/.github/workflows/update-cdn-example.yml
+++ b/.github/workflows/update-cdn-example.yml
@@ -18,13 +18,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
         with:
-          node-version: '22'
+          node-version: 22
 
       - name: Generate index.html
         id: generate