docs: gate htmx-nonce + strict style-src behind a min-version note#1779
Merged
Conversation
Fixes #1778. Both opt-ins were documented in the same wave that introduced them, but the released packages don't yet carry the required code: - @alltuner/vibetuner@10.10.0 transitively pulls htmx.org@4.0.0-beta2, which has no hx-nonce.js — bundler errors on the import. - vibetuner==10.10.0 predates the style_src_strict field; pydantic's extra="ignore" silently swallows the env var. Both fix themselves once 10.11.0 ships, but until then the docs mislead users on the current release. Add an admonition + inline note in development-guide.md, llms-full.txt, and llms.txt so the version requirement is unmissable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
davidpoblador
pushed a commit
that referenced
this pull request
May 11, 2026
🤖 I have created a release *beep* *boop* --- ## [10.11.0](v10.10.0...v10.11.0) (2026-05-11) ### Features * **htmx:** prepare framework templates for hx-nonce extension ([#1773](#1773)) ([16137e8](16137e8)) * **security:** add CSP_STYLE_SRC_STRICT to drop 'unsafe-inline' from style-src ([#1774](#1774)) ([3f74886](3f74886)) ### Bug Fixes * **deps:** update dependency htmx.org to v4.0.0-beta3 ([#1770](#1770)) ([d21d883](d21d883)) ### Documentation Updates * gate htmx-nonce + strict style-src behind a min-version note ([#1779](#1779)) ([bc6d365](bc6d365)) * **htmx:** document beta3 features and correct migration guide ([#1771](#1771)) ([2921dbc](2921dbc)) * put htmx Nonce Protection before Strict style-src ([#1775](#1775)) ([d1254c9](d1254c9)) * sync llms.txt, llms-full.txt, and frontend rules with htmx beta3 ([#1776](#1776)) ([b486470](b486470)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1778.
Summary
Both htmx-nonce and
CSP_STYLE_SRC_STRICTwere documented in the same wave that introduced them (#1773, #1774, #1776), but they don't yet work on a freshly scaffolded project today because the released packages predate those PRs:@alltuner/vibetuner@10.10.0on npm pullshtmx.org@4.0.0-beta2, which doesn't shipdist/ext/hx-nonce.js. The bundler fails withCould not resolve "./node_modules/htmx.org/dist/ext/hx-nonce.js".vibetuner==10.10.0on PyPI predates thestyle_src_strictsettings field. Pydantic'sextra="ignore"swallowsCSP_STYLE_SRC_STRICTsilently; the CSP header keeps emitting'unsafe-inline'.Both self-resolve as soon as release-please cuts 10.11.0. Until then, point readers at the version requirement so they don't burn time debugging.
This adds:
development-guide.mdcalling out the minimum version and the failure mode users will see.llms-full.txtandllms.txt, since those are LLM-targeted and need to be self-contained.No framework code changes. Confirmed during the post-merge smoke test (issue #1778) that with the framework installed editable from
main, both opt-ins work end-to-end: strict CSP becomesstyle-src 'self' 'nonce-…', the bundle build succeeds, andhtmx:security:strip/htmx:security:violationidentifiers all appear inbundle.js.Test plan
rumdllint passes (pre-commit)🤖 Generated with Claude Code