fix(security): support nonce in streaming SSR

[zllkjc]

Summary

🤖 Generated by Copilot at 0e55800

This pull request adds support for using nonce in streaming server-side rendering (SSR) with nested routes. nonce is a security attribute that helps prevent cross-site scripting attacks. The pull request updates the @modern-js/runtime and @modern-js/utils packages and modifies the files DeferredDataScripts.node.tsx, plugin.node.tsx, and nestedRoutes.tsx.

Details

🤖 Generated by Copilot at 0e55800

• Add a changeset file to describe the patch updates for @modern-js/runtime and @modern-js/utils packages, which fix the nonce support in streaming SSR (link)
• Modify the @modern-js/runtime package to accept and pass the nonce prop to the components and script elements that are responsible for rendering the deferred data scripts for the nested routes in streaming SSR (link, link, link, link, link, link, link, link)
• Modify the routerPlugin function in the @modern-js/runtime package to extract the nonce value from the ssrContext object and pass it to the DeferredDataComponent parameter of the renderNestedRoute function (link, link)
• Modify the renderNestedRoute function in the @modern-js/utils package to accept and render the DeferredDataComponent parameter, which can be a function that takes the nonce prop (link, link)

Related Issue

Checklist

• I have added changeset via pnpm run change.
• I have updated the documentation.
• I have added tests to cover my changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 0e55800

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 215 packages

Name	Type
@modern-js/runtime	Patch
@modern-js/utils	Patch
@modern-js/plugin-bff	Patch
@modern-js/plugin-storybook	Patch
@modern-js/plugin-tailwindcss	Patch
@modern-js/plugin-garfish	Patch
@modern-js/plugin-router-v5	Patch
@modern-js/plugin-testing	Patch
@integration-test/alias-set	Patch
api-service-koa	Patch
app-docmuent	Patch
async-entry-test	Patch
bff-express	Patch
bff-koa	Patch
builder-rspack	Patch
integration-clean-dist-path	Patch
composes-basic	Patch
composes-external	Patch
dev-module	Patch
global-module	Patch
prod-module	Patch
css	Patch
antd-less	Patch
bad-nested-npm-import	Patch
bad-npm-import	Patch
base-import	Patch
disable-source-map	Patch
exclude-less	Patch
exclude-sass	Patch
import-common-css	Patch
less-import	Patch
less-inline-js	Patch
less-npm-import	Patch
multi-css	Patch
multi-less	Patch
multi-sass	Patch
nested-npm-import	Patch
npm-import	Patch
integration-tailwindcss-v2	Patch
integration-tailwindcss-v3	Patch
twin-macro-v2	Patch
twin-macro-v3	Patch
css-modules	Patch
integration-custom-render	Patch
integration-custom-template	Patch
dev-server	Patch
legacy-esbuild-minify-js	Patch
esbuild-transform-and-minify	Patch
@cypress-test/garfish-dashboard-router-v6	Patch
@cypress-test/garfish-dashboard	Patch
@cypress-test/garfish-main-router-v6	Patch
@cypress-test/garfish-main-rspack	Patch
@cypress-test/garfish-main	Patch
@cypress-test/garfish-table	Patch
tmp	Patch
nonce	Patch
routes	Patch
file-based-router	Patch
use-loader	Patch
select-mul-entry-test	Patch
select-one-entry-test	Patch
server-config	Patch
server-middleware	Patch
server-hook-reqeust	Patch
server-hook-response	Patch
server-hook-router	Patch
@integration-test/server-hook-reqeust	Patch
server-prod	Patch
ssg-fixtures-nested-routes	Patch
ssg-fixtures-simple	Patch
ssg-fixtures-web-server	Patch
ssr-base-json-test	Patch
ssr-base-test	Patch
init	Patch
ssr-streaming-test	Patch
swc-minify-css	Patch
swc-minify-js	Patch
transform-fail	Patch
tmp-dir	Patch
worker-test	Patch
write-to-dist	Patch
@modern-js/babel-preset-app	Patch
@modern-js/babel-preset-base	Patch
@modern-js/babel-preset-lib	Patch
@modern-js/core	Patch
@modern-js/doc-core	Patch
@modern-js/doc-plugin-auto-sidebar	Patch
@modern-js/doc-plugin-medium-zoom	Patch
@modern-js/doc-plugin-preview	Patch
@modern-js/plugin-changeset	Patch
@modern-js/plugin-data-loader	Patch
@modern-js/plugin-i18n	Patch
@modern-js/plugin-lint	Patch
@modern-js/plugin-proxy	Patch
@modern-js/plugin-ssg	Patch
@modern-js/plugin-swc	Patch
@modern-js/generator-common	Patch
@modern-js/generator-plugin	Patch
@modern-js/generator-utils	Patch
@modern-js/new-action	Patch
@modern-js/entry-generator	Patch
@modern-js/repo-generator	Patch
@modern-js/bff-core	Patch
@modern-js/server-core	Patch
@modern-js/create-request	Patch
@modern-js/plugin-express	Patch
@modern-js/plugin-koa	Patch
@modern-js/plugin-polyfill	Patch
@modern-js/plugin-server	Patch
@modern-js/plugin-worker	Patch
@modern-js/prod-server	Patch
@modern-js/server	Patch
@modern-js/server-utils	Patch
@modern-js/builder-cli	Patch
@modern-js/builder-rspack-provider	Patch
@modern-js/builder-shared	Patch
@modern-js/builder-webpack-provider	Patch
@modern-js/builder	Patch
@modern-js/builder-plugin-esbuild	Patch
@modern-js/builder-plugin-image-compress	Patch
@modern-js/builder-plugin-node-polyfill	Patch
@modern-js/builder-plugin-stylus	Patch
@modern-js/builder-plugin-swc-base	Patch
@modern-js/builder-plugin-swc	Patch
@modern-js/plugin-module-doc	Patch
@modern-js/app-tools	Patch
@modern-js/doc-tools	Patch
@modern-js/module-tools	Patch
@modern-js/monorepo-tools	Patch
@modern-js/create	Patch
@modern-js/e2e	Patch
@modern-js/node-bundle-require	Patch
@modern-js/plugin	Patch
@modern-js/upgrade	Patch
@modern-js/babel-compiler	Patch
@scripts/vitest-config	Patch
tests	Patch
@e2e/builder-plugin-import	Patch
@e2e/builder	Patch
@modern-js-app/eslint-config	Patch
@modern-js/main-doc	Patch
@modern-js/module-tools-docs	Patch
doc-plugin	Patch
@modern-js/bff-generator	Patch
@modern-js/dependence-generator	Patch
@modern-js/doc-generator	Patch
@modern-js/generator-generator	Patch
@modern-js/module-generator	Patch
@modern-js/module-test-generator	Patch
@modern-js/monorepo-generator	Patch
@modern-js/mwa-generator	Patch
@modern-js/router-v5-generator	Patch
@modern-js/rspack-generator	Patch
@modern-js/ssg-generator	Patch
@modern-js/storybook-generator	Patch
@modern-js/test-generator	Patch
@modern-js/upgrade-generator	Patch
@modern-js/generator-plugin-plugin	Patch
@modern-js/base-generator	Patch
@modern-js/packages-generator	Patch
@modern-js/server-generator	Patch
@modern-js/tailwindcss-generator	Patch
@scripts/update-codesmith	Patch
@e2e/builder-cli-rspack	Patch
@e2e/webpack-builder-image-compress	Patch
@e2e/builder-cli-webpack	Patch
@e2e/webpack-builder-css-modules	Patch
integration-dev-asset-prefix	Patch
integration-register-builder-plugins	Patch
integration-copy-public-html	Patch
integration-config-async-config-test	Patch
integration-basic-local-config	Patch
integration-config-function-params	Patch
integration-local-config-function	Patch
@modern-js/builder-doc	Patch
@modern-js/doc-tools-doc	Patch
simple-doc-template	Patch
i18n-doc	Patch
simple-doc-production	Patch
@modern-js/plugin-module-babel	Patch
@modern-js/plugin-module-banner	Patch
@modern-js/plugin-module-import	Patch
@modern-js/plugin-module-main-fields	Patch
@modern-js/plugin-module-node-polyfill	Patch
@modern-js/plugin-module-polyfill	Patch
@modern-js/plugin-module-target	Patch
@modern-js/remark-container	Patch
integration-module-doc	Patch
@modern-js/eslint-config	Patch
@modern-js/generator-cases	Patch
@modern-js/changeset-generator	Patch
@modern-js/tsconfig	Patch
@modern-js/bff-runtime	Patch
@modern-js/types	Patch
@scripts/build	Patch
@scripts/check-changeset	Patch
@scripts/codemod	Patch
@scripts/jest-config	Patch
@scripts/lint-package-json	Patch
@scripts/prebundle	Patch
integration-asset-prefix	Patch
integration-builder-plugins	Patch
integration-copy-assets	Patch
doc-tools	Patch
esbuild-integration	Patch
integration-load-config	Patch
runtime	Patch
entry	Patch
ssg	Patch
ssr	Patch
swc-integration	Patch
@e2e/webpack-builder-import-antd-v4	Patch
@e2e/webpack-builder-import-antd-v5	Patch
@e2e/webpack-builder-import-arco	Patch
@e2e/webpack-builder-node-polyfill	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.14 ⚠️

Comparison is base (99693f0) 57.59% compared to head (0e55800) 57.45%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3852      +/-   ##
==========================================
- Coverage   57.59%   57.45%   -0.14%     
==========================================
  Files         672      650      -22     
  Lines       17794    17494     -300     
  Branches     3876     3826      -50     
==========================================
- Hits        10249    10052     -197     
+ Misses       6934     6824     -110     
- Partials      611      618       +7     

see 299 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.