Add webpack compilation object to processFn

• #81 Adds the webpack compilation object to processfn, thanks to @samsaggace
• #78 Updates the readme to clarify best practices on configuring the plugin

HTML Parsing Fixes

This release fixes a few outstanding issues around parsing HTML when adding the CSP meta tag to the HTML document

• #75 fixes issues with escaped HTML, respecting the xhtml option from html-webpack-plugin, and generating hashes for noscript style tags
• #74 bumps node-notifier via dependabot to fix a security vulnerability

Deprecating webpack@2&3, html-webpack-plugin@2&3, Bumping deps

• #64, #65, #66, #67 bumped dependencies from dependabot
• #69 added webpack@5 as a peer dependency, thanks to @david-fong
• #71 upgraded all deps in package.json to their latest versions
• Deprecation: #72 deprecated webpack 2 and 3, and html-webpack-plugin 2 and 3, and set webpack@5 as the new package to test changes against

Node@8 deprecated, ability to overwrite default process function, bumped deps

• #58: Added the ability to overwrite the default processFn method with a developer defined one. This will allow developers to interact with the built CSP however they need to on a per HtmlWebpackPlugin instance
• #59: Bumps NPM dependencies to remove some GitHub reported vulnerabilities. This also removed support for node@8 hence the major version bump.
• #60: Removed an unnecessary codecov public token. Token has also been rotated

Bumping NPM Deps

• #47: Bumps NPM dependencies to remove some GitHub reported vulnerabilities

Upgrading Deps again

#41 has upgraded all NPM dependencies to their latest versions to remove any vulnerabilities which may exist in the packages, as reported by github

Upgrading Dependencies to their latest version

• Upgrading dependencies to their latest versions, which also fixes a vulnerability in a depended on node module: #34 (Originally reported here: #32, and originally fixed here: #33 by @hvolschenk)
• Removed option in README which no longer exists

v3 Release - Breaking changes included!

csp-html-webpack-plugin has officially been promoted to v3.

To see a list of all changes (and any breaking changes), please see the following release notes:

https://github.com/slackhq/csp-html-webpack-plugin/releases/tag/v3.0.0-beta.1
https://github.com/slackhq/csp-html-webpack-plugin/releases/tag/v3.0.0-beta.2

More fine grain control over when to allow hashes and nonces

A new breaking changes has been introduced into this version of the CspHtmlWebpackPlugin:

• devAllowUnsafe has been removed, and has been replaced with 2 object configurations: hashEnabled and nonceEnabled.
  • These 2 objects accept <string, boolean> entries of a policy name, and whether that policy should include hashes or nonces.

By setting all hashes and nonces to false for script-src and style-src, this should act in the same was as setting the now removed devAllowUnsafe to true

Refactors, Features, and some small Breaking Changes

Breaking Changes:

• disableCspPlugin in HtmlWebpackPlugin options has been removed, and replaced by cspPlugin.enabled to be more inline with the enabled flag on the CspHtmlWebpackPlugin
• Disabling the plugin in any way will now not touch the original HTML. Previously we were attempting to look for an empty CSP policy meta tag and remove that, but this will no longer be done.

New Features:

• Policies can now be defined in the HtmlWebpackPlugin instance via cspPlugin.policy to allow individual policies to be created per HtmlWebpackPlugin
• Nonce attrs will now be added onto externally loaded scripts
• If no csp meta tag is defined, one will be added as the very first tag in the head of the document.
• strict-dynamic is now backwards compatible with CSP2 by ensuring it's the last defined source in a particular policy
• Basic policy validations are now in place to ensure that all static sources are properly quoted