ResourceLoader/Foreign resources

MediaWiki version:
Gerrit change 911307

Foreign resources are upstream frontend libraries registered in MediaWiki as ResourceLoader modules. They are defined a file called foreign-resources.yaml. This tracks the source and version of upstream projects currently in use.

In MediaWiki core, foreign resources are stored in the resources/lib/ directory. Extensions and skins can use the ForeignResourcesDir attribute in their extension.json/skin.json file to manage a similar directory.[1] That directory needs to contain a foreign-resources.yaml file. The manageForeignResources.php maintenance script can be used to install, update, or verify these resources.

Minified files Edit

You may use minified distribution files provided by the library, but in that case, the corresponding non-minified files must also be downloaded and committed, and they should be used when ResourceLoader debug mode is active. This is because of the requirements for Debian packages, and to improve the developer experience given the lack of support for source maps of external libraries. (related tasks: T217351, T257878, T346075)

How to install a foreign resource Edit

  1. Add or update the url(s) for the upstream module in foreign-resources.yaml.
    Look at other modules for examples. To install a module from npm, we use the tarball distribution from This is the same as what the npm CLI uses. For example, to install jquery-client@9.2.0, use
  2. If the upstream maintainers publish an integrity hash, set that as well.
    Otherwise, use manageForeignResources.php to compute the integrity hash. Run php manageForeignResources.php --extension <my extension name> make-sri <my module name> - this will download the specified file(s) and print their integrity hashes, already formatted in YAML, ready for copying to this file.
  3. Last but not least, decide where files go.
    If you specified a direct url to JavaScript or CSS file, this step is optional. See the corresponding documentation section below for more information and examples for dest keys. Once you've set any dest keys, run php manageForeignResources.php --extension <my extension name> update <my module name>.

foreign-resources.yaml format Edit

See resources/lib/foreign-resources.yaml for up-to-date documentation

Each top-level key must use one of these types:

  • file: For a plain file.
  • multi-file: For multiple plain files.
  • tar: For a tarball archive (file may be compressed).
  • doc-only: For documenting that a package is used, without managing it

Shared fields Edit

The following fields are shared by all package types:

  • license: SPDX license identifier
  • homepage: [optional] Homepage URL of library shown on Special:Version
  • version: [optional] Version string of library shown on Special:Version

The "file" type Edit

Besides the shared ones, the following fields are used:

  • src: Full URL to the remote resource.
  • integrity: SRI cryptographic hash.
  • dest: [optional] The file name to use in the module directory. Default: Basename of URL.

For example, the following would produce resources/lib/mymodule/x.js:

      type: file
      src: https://mymodule.example/1.2.3/x.js
      integrity: sha384-Je+NE+saisQuoi

The "multi-file" type Edit

Besides the shared ones, the following fields are used:

  • files: An object mapping destination paths to src and integrity keys.

For example:

      type: multi-file
          src: https://mymodule.example/1.2.3/x.js
          integrity: sha384-Je+NE+saisQuoi
          src: https://mymodule.example/1.2.3/x.css
          integrity: sha384-Je+NE+saisQuoi

The "tar" type Edit

Besides the shared ones, the following fields are used:

  • src: Full URL to the remote resource.
  • integrity: SRI cryptographic hash.
  • dest: [optional] The default is to extract all files from the package. To only extract some of the files or directories, use dest to specify files, directories, and/or glob patterns. You can use a site like to easily inspect an npm package, like This field can also be used to extract files to a subdirectory (by default the files and directories listed in dest are extracted to the module directory root).

For example:

      type: tar
      integrity: sha384-Je+NE+saisQuoi
        package/dist/style/*.css: themes

The above would extract the x.js file, the i18n directory (recursive), and any *.css files from the style directory. They will end up in mymodule/x.js, mymodule/i18n and mymodule/themes, respectively.

The "doc-only" type Edit

This type can be used for packages which are managed in some custom way (e.g. they require a manual build step). manageForeignResources.php will ignore these records, but they will still be shown on Special:Version. Only the shared fields are used.

Notes Edit

  1. Note that this is not a configuration global but a core attribute; changing $wgForeignResourcesDir doesn't achieve anything.