cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity
Files
fe95dfcfce29ee70d8350eed8c66b64673ccd52a
aoc/RELEASE_NOTES_v1.7.13.md
Tomas Kracmar 35eca65234
All checks were successful
Release / build-and-push (push) Successful in 40s
Details
CI / lint-and-test (push) Successful in 33s
Details
v1.7.13: switch Alpine.js to CSP build, remove unsafe-eval from CSP
2026-04-27 16:08:34 +02:00

1.4 KiB
Raw Blame History

AOC v1.7.13 Release Notes

Release Date: 2026-04-27

Security Hardening: Alpine.js CSP Build

This release removes unsafe-eval from the Content-Security-Policy by switching the frontend to Alpine.js's CSP-compatible build.

Changes

  • Frontend: Switched from alpinejs@3.x.x/dist/cdn.min.js to alpinejs@3.x.x/dist/csp.min.js
  • Frontend: Added explicit Alpine.start() call on DOMContentLoaded (required by CSP build)
  • Backend CSP: Removed 'unsafe-eval' from script-src directive

Why this matters

The previous v1.7.111.7.12 releases included 'unsafe-eval' in the CSP because the standard Alpine.js CDN build uses new Function() internally for reactive expression evaluation. The CSP build eliminates this requirement, further hardening the application against XSS and injection attacks.

Compatibility

All existing Alpine.js directives (x-data, x-init, x-show, x-text, x-for, x-if, x-model, event handlers) continue to work unchanged. The CSP build uses a safe expression evaluator that produces identical behavior without eval/new Function.

Files Changed

File Change
backend/frontend/index.html Alpine.js src → csp.min.js; added Alpine.start()
backend/main.py Removed 'unsafe-eval' from script-src CSP
VERSION Bumped to 1.7.13

Test Results

  • 80/80 pytest tests passing
  • Ruff lint/format clean
Reference in New Issue View Git Blame Copy Permalink