Imported ES modules can't currently have their integrity checked, and hence cannot run in environments that require Subresource Integrity or with `require-sri-for` CSP directives. This feature adds an `integrity` section to import maps, enabling developers to map ES module URLs to their integrity metadata, and ensure they only load when they match their expected hashes.
Since modules initiate requests, there is a need for the ability to specify the integrity of dependencies, and not just the top level <script type="module"> integrity which can be supported via traditional means. For specifiers like import 'pkg' that are controlled by import maps, the problem is that the import map is fully responsible for the resolved module and hence the integrity of the resolved module as well. Without a mechanism to specify integrity, it is not currently possible to use module dependencies with `require-sri-for` Content Security Policy where those module dependencies are loaded lazily so that the integrity cannot be set via the module script tag or link preload tag directly.
Explainers: https://github.com/guybedford/import-maps-extensions#integrity