experimental.sri: integrity mismatch blocks scripts when served via CDN/edge cache

[quantizor]

Link to the code that reproduces this issue

https://github.com/styled-components/styled-components-website

To Reproduce

1. Enable experimental: { sri: { algorithm: 'sha256' } } in next.config.mjs
2. Deploy to Vercel (or any CDN with edge caching)
3. Load the site in a browser

Current vs. Expected behavior

Current: Browser blocks scripts with errors like:

Failed to find a valid digest in the 'integrity' attribute for resource
'https://styled-components.com/_next/static/chunks/turbopack-0w~tdqgwj6w-f.js'
with computed SHA-256 integrity 'AtgbquOIdxzkrCKl+OJ4ftygSY0ED3Ynyy6vxt1C468='.
The resource has been blocked.

Expected: Integrity hashes should match the served content, or SRI should account for CDN transformations (compression, encoding) that alter the byte stream between build-time hashing and browser receipt.

Provide environment information

Next.js 16.2.0 (Turbopack)
Node.js 22.x
Deployed on Vercel

Which area(s) are affected?

SRI / Security

Additional context

Likely related to #74147 and #74149. The hash is generated at build time against the raw chunk, but the CDN may serve a differently-encoded version (e.g., Brotli/gzip content-encoding differences, or edge transformations). Disabling experimental.sri resolves the issue.

[masterjanic]

Having the same issue, worked with previous versions, but not the latest.

[masterjanic]

For context, I just tried upgrading from 16.2.0-canary.99 to 16.2.3 stable. The issue occurred right after the upgrade. Rolling back to the old canary version resolves the issue.

[masterjanic]

Also related to: getsentry/sentry-javascript#19814