ZAF versions are not immutable, breaking SRI

[ngrewe]

Dear Zendesk Team,

we have an integration into Zendesk that includes a specific version of ZAF in the following way:

<script
  id="zaf-sdk"
  integrity="sha384-x+DMONHL5BGxlpfSXJ+v8DUZMGk+303t2BJCpdl/PJnePCjL2eHB6y9bA5V4dTsb" 
  crossorigin="anonymous"
  src="https://static.zdassets.com/zendesk_app_framework_sdk/2.0.37/zaf_sdk.min.js"
></script>

As you can see, we are utilising the subresource integrity (SRI) attribute here to protect from untrusted code being loaded into our application.

While we are fine with occasionally having to manually upgrade the SDK version we include, we are absolutely not fine with the content of that version just silently changing from under us, which is what happened when you re-released v2.0.37 yesterday (changing the SHA-384 hash from x+DMONHL5BGxlpfSXJ+v8DUZMGk+303t2BJCpdl/PJnePCjL2eHB6y9bA5V4dTsb to 9EPbYTFD7Oxlnn4s2sg+mfMtqdTzc1mWRudXMR1EBd9dsUlyuDab2OvDWf0Jolsy).

So we kindly ask whether you could refrain from reusing version numbers in the future if at all possible?

Thanks,

Niels