@scalar/express-api-reference - npm Package Compare versions

Comparing version

+18

-0

CHANGELOG.md

		# @scalar/express-api-reference

		## 0.10.0

		### Minor Changes

		- [#9422](https://github.com/scalar/scalar/pull/9422): Add a `nonce` option for Content Security Policy support.

		When you pass a `nonce`, the rendered HTML stamps it onto the inline `<script>` and the CDN `<script>` tag (and Scalar's own `<style>` tags, plus a matching `<meta property="csp-nonce">`). This lets the API Reference run under a strict `script-src` with no `unsafe-inline` and no `unsafe-eval`.

		```ts
		ApiReference({
		url: '/openapi.json',
		// Match this value in your `script-src` CSP directive.
		nonce: 'r4nd0m',
		})
		```

		Note: `style-src` still needs `'unsafe-inline'`. The reference renders inline `style="…"` attributes, which a CSP nonce can never authorize (nonces only apply to `<script>`, `<style>` and `<link>` elements), so a nonce-only `style-src` is not possible. The win is a fully strict `script-src`.

		## 0.9.20
		@@ -4,0 +22,0 @@

+2

-2

dist/apiReference.js

		@@ -19,5 +19,5 @@ import { renderApiReference } from '@scalar/client-side-rendering';
		return (_, res) => {
		const { cdn, pageTitle, ...config } = configuration;
		res.type('text/html').send(renderApiReference({ config, pageTitle, cdn }));
		const { cdn, pageTitle, nonce, ...config } = configuration;
		res.type('text/html').send(renderApiReference({ config, pageTitle, cdn, nonce }));
		};
		}

+2

-2

package.json

		@@ -13,3 +13,3 @@ {
		},
		"version": "0.9.20",
		"version": "0.10.0",
		"engines": {
		@@ -49,3 +49,3 @@ "node": ">=22"
		"dependencies": {
		"@scalar/client-side-rendering": "0.1.13"
		"@scalar/client-side-rendering": "0.2.0"
		},
		@@ -52,0 +52,0 @@ "devDependencies": {

Improved metrics