Adding support for nonces was a breaking change

[aredridel]

Upgrading to blankie supporting nonces, since they're emitted by default, this makes unsafe-inline no longer function due to the restrictions on script-src and style-src with nonces present, so upgrading to this version of the module will disable previously working unsafe-inline.

[nlf]

oh dang, you're right. that's my fault.

so, my thought to fix this is i deprecate the version of blankie that added nonces and republish under a new major. in addition to that i'll add to the documentation that unsafe-inline doesn't work when nonces are enabled. i'll also add a check to the joi validator that will prevent users from accidentally setting both options.

i do feel like nonces should stay enabled by default, so i'll be leaving that alone. seems to make more sense (to me, at least) to require users to explicitly disable them where they're using unsafe-inline.

sound ok to you?

[aredridel]

Yeah, that makes sense!

Mere deprecation won't fix it -- npm will still resolve to deprecated versions. I'd publish a version with that reverted under the old major (1.3.0? 1.2.x?) and then make the one with it as 2.0.0.

[aredridel]

or, smallest change: make the default false in 1.x, and true in 2.x

[nlf]

ok, done

• 1.2.0 deprecated
• 1.3.1 published with generateNonces defaulting to false (not 1.3.0 because i forgot to update the readme and i was too lazy to fix tags)
• 2.0.0 published with generateNonces defaulting to true and scriptSrc not allowing 'unsafe-inline' when generateNonces is true

next major version will be finally updating this thing to es6!

[aredridel]

Oh awesome! Thank you! We rolled out our workaround this morning, and will probably roll out 2.0.0 shortly.