Update python Docker tag to v3.13 - autoclosed#3
Closed
renovate[bot] wants to merge 1 commit into
Closed
Conversation
davidpoblador
added a commit
that referenced
this pull request
May 30, 2026
## Summary Closes #1938. Smooths the four friction points the issue hit when adopting the htmx `hx-csp` extension under a strict (no `unsafe-eval`) CSP. ### 1. Re-export the extension (friction #1 + #2) - New `vibetuner-js/htmx-csp.js` + `"./htmx/csp"` export, mirroring the existing `htmx/preload`, `htmx/sse`, `htmx/live`. Projects now `import "@alltuner/vibetuner/htmx/csp";` with **no direct `htmx.org` devDependency** — which previously had to be pinned by hand and would drift from the framework's htmx the moment it bumped. - Verified the re-export bundles with bun (`htmx.registerExtension("hx-csp")` lands in the output). ### 2. `body_attrs` skeleton block (friction #4) - The `<body>` tag had no attribute hook, forcing a full skeleton override just to add the nonce. Added `{% block body_attrs %}` so projects stamp a **single inherited nonce**: `hx-nonce:inherited="{{ csp_nonce }}"`. Verified against the htmx 4 source that `:inherited` resolves `hx-nonce` from ancestors and the extension reads it via the same `attributeValue` path — so one stamp on `<body>` covers every htmx element. ### 3. `htmx_config` skeleton block (friction #3) - `htmx.config.safeEval` must be set before the extension's `init`, but ESM hoists imports so `htmx.config.safeEval = true` in `config.js` runs too late. The htmx-native fix is the `<meta name="htmx-config">` tag — **but** htmx reads that meta *synchronously when its script evaluates* (`#initHtmxConfig` in the constructor), not at DOMContentLoaded. The skeleton's `head` block renders *after* the bundle script, so it would be too late. - Added a dedicated `{% block htmx_config %}` positioned **just before** the bundle script, so a meta placed there is parsed first. Documented: ```jinja {% block htmx_config %} <meta name="htmx-config" content='extensions:"hx-csp",safeEval:true'> {% endblock htmx_config %} ``` ### 4. Docs - `development-guide.md`, `llms.txt`, `llms-full.txt` updated to the new import path, the `body_attrs` single-stamp pattern, and the `htmx_config`/meta safeEval approach. ## Testing - `test_skeleton_extension_points.py`: new `TestBodyAttrs` (renders inside `<body>`, empty by default) and `test_htmx_config_block_renders_before_bundle_js` (ordering invariant — the whole point of the block). - Full unit suite: **902 passed**. ruff, djlint, rumdl all clean (pre-commit green). `node --check` on the new JS, and a bun build of the re-export. ## Notes - Docs reference "added in 10.20.0" as the version that introduces the `@alltuner/vibetuner/htmx/csp` subpath (next minor after the just-released 10.19.0). - The existing explicit `hx-nonce` on `user/profile.html.jinja` is left as-is — harmless, and it inherits correctly whether or not a project sets `body_attrs`. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.12->3.13Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.